Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Static Contract Checking for Haskell Dana N. Xu University of Cambridge Ph.D. Supervisor: Simon Peyton Jones Microsoft Research Cambridge.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
Type checking © Marcelo d’Amorim 2010.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
1 Space-Efficient Gradual Typing David Herman Northeastern University Aaron Tomb, Cormac Flanagan University of California, Santa Cruz.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Type Checking.
Catriel Beeri Pls/Winter 2004/5 last 55 Two comments on let polymorphism I. What is the (time, space) complexity of type reconstruction? In practice –
Nathan Brunelle Department of Computer Science University of Virginia Theory of Computation CS3102 – Spring 2014 A tale.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
MinML: an idealized programming language CS 510 David Walker.
A Type System for Expressive Security Policies David Walker Cornell University.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Describing Syntax and Semantics
Type Inference: CIS Seminar, 11/3/2009 Type inference: Inside the Type Checker. A presentation by: Daniel Tuck.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Cs3102: Theory of Computation Class 18: Proving Undecidability Spring 2010 University of Virginia David Evans.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Typed Lambda Calculus Chapter 9 Benjamin Pierce Types and Programming Languages.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
CSE 425: Data Types I Data and Data Types Data may be more abstract than their representation –E.g., integer (unbounded) vs. 64-bit int (bounded) A language.
Looping and Counting Lecture 3 Hartmut Kaiser
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
Types and Programming Languages Lecture 12 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Modularly Typesafe Interface Dispatch in JPred Christopher Frost and Todd Millstein University of California, Los Angeles
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
1 Static Contract Checking for Haskell Dana N. Xu University of Cambridge Joint work with Simon Peyton Jones Microsoft Research Cambridge Koen Claessen.
SOEN 343 Software Design Section H Fall 2006 Dr Greg Butler
CMSC 330: Organization of Programming Languages Lambda Calculus and Types.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
1 Static Contract Checking for Haskell Dana N. Xu University of Cambridge Joint work with Simon Peyton Jones Microsoft Research Cambridge Koen Claessen.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
CS 330 Programming Languages 10 / 23 / 2007 Instructor: Michael Eckmann.
Shifting the Blame A blame calculus with delimited control Taro Sekiyama* Atsushi Igarashi Soichiro Ueda Kyoto University Gradual typing.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.
Hybrid Type Checking An implementation of λ H David Waern Rickard Nilsson.
Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.
Types for Programs and Proofs
Semantic Analysis Type Checking
CSE 374 Programming Concepts & Tools
Accessible Formal Methods A Study of the Java Modeling Language
Stateful Manifest Contracts
Programming Languages 2nd edition Tucker and Noonan
Space-Efficient Gradual Typing
Language-based Security
Gradual Verification Seamlessly and flexibly combine static and dynamic verification by drawing on the general principles from abstract interpretation.
Programming Languages 2nd edition Tucker and Noonan
Static Contract Checking for Haskell
Presentation transcript:

Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking

C. FlanaganPOPL’06: Hybrid Type Checking2 Interface Specifications  Essential for software engineering –help manage complexity through abstraction –enable modular software development  Should ideally be –precise (i.e., formal, machine readable) –trustworthy (i.e., mechanically checked)  Examples –printBool expects a boolean –printDigit expects an integer in the range [0,9] –find expects an ordered BinaryTree –eval expects a closed, well-typed expression –precise preconditions and postconditions

C. FlanaganPOPL’06: Hybrid Type Checking3 Static Type Checking  Traditional type systems –extremely useful, decidable, but limited expressiveness Program w/ basic type specifications Type Checking Algorithm ill-typed Accept Reject well-typed Compile-time type error: expected Int, got Bool Run  Advanced (decidable) type systems –refinement types [Freeman-Pfenning 91, Xi 00, Mandelbaum et al 03, Ou et al 04...] –more expressiveness (e.g., with linear inequalities) –but expressiveness still restricted to ensure decidability

C. FlanaganPOPL’06: Hybrid Type Checking4 Static Type Checking for Expressive Specs  Expressive specifications ) type checking undecidable –can still accept and reject many programs  What to do with remaining undecided cases? Program with precise specifications Type Checking Algorithm ill-typed Accept Reject don’t know well-typed Compile-time type error: expected Int, got Bool Run

C. FlanaganPOPL’06: Hybrid Type Checking5 Static Type Checking for Expressive Specs  Expressive specifications ) type checking undecidable –can still accept and reject many programs  What to do with remaining undecided cases? –interactive theorem proving ) powerful but not for mortals Program with precise specifications Type Checking Algorithm ill-typed Accept Reject don’t know well-typed Compile-time type error: expected Int, got Bool Run Interactive Theorem Proving (HARD!) X

C. FlanaganPOPL’06: Hybrid Type Checking6 Static Type Checking for Expressive Specs  Expressive specifications ) type checking undecidable –can still accept and reject many programs  What to do with remaining undecided cases? –interactive theorem proving ) powerful but not for mortals –reject (or diverge) ) too brittle and unpredictable (ESC/Java) Program with precise specifications Type Checking Algorithm ill-typed Accept Reject don’t know well-typed Compile-time type error: expected Int, got Bool Run

C. FlanaganPOPL’06: Hybrid Type Checking7 Static Type Checking for Expressive Specs  Expressive specifications ) type checking undecidable –can still accept and reject many programs  What to do with remaining undecided cases? –interactive theorem proving ) powerful but not for mortals –reject (or diverge) ) too brittle and unpredictable (ESC/Java) –accept ) cannot trust specs since they are not enforced Program with precise specifications Type Checking Algorithm ill-typed Accept Reject don’t know well-typed Compile-time type error: expected Int, got Bool Run

C. FlanaganPOPL’06: Hybrid Type Checking8 Static Type Checking for Expressive Specs  Expressive specifications ) type checking undecidable –can still accept and reject many programs  What to do with remaining undecided cases? –interactive theorem proving ) powerful but not for mortals –reject (or diverge) ) too brittle and unpredictable (ESC/Java) –accept ) cannot trust specs since they are not enforced Program with precise specifications Type Checking Algorithm ill-typed Accept Reject don’t know well-typed Compile-time type error: expected Int, got Bool Run

C. FlanaganPOPL’06: Hybrid Type Checking9 Dynamic Checking for Expressive Specs  Very easy and straightforward –can check any decidable safety predicate –contract languages [Eiffel, JML,...] –higher-order contracts [Findler-Felleisen 02,...]  Limitations –performance overhead –limited coverage specs only checked on tested executions may catch errors late in development cycle, or post-deployment

C. FlanaganPOPL’06: Hybrid Type Checking10 The Case for Hybrid Type Checking  Static checking –provides full coverage for limited specifications  Dynamic checking –provides limited coverage of very expressive specifications  Hybrid type checking –a synthesis of these two prior techniques –goal: high coverage checking for expressive specs

C. FlanaganPOPL’06: Hybrid Type Checking11 Hybrid Type Checking for Expressive Specs  The hybrid type checking algorithm tries to prove that the program is either well-typed or ill-typed Program with precise specifications Hybrid Type Checking Algorithm ill-typed Accept Reject don’t know well-typed Accept with casts Compile-time type error: expected Int, got Bool Run-time type error: expected Digit, got 12 Run  In “don’t know” case, it accepts the program, but inserts sufficient dynamic casts to ensure that the compiled program never violates any specification

C. FlanaganPOPL’06: Hybrid Type Checking12 Other Combined Static/Dynamic Checkers  For language safety –static type checking, dynamic bounds checking –ML, Java, C#, also CCured [Necula et al 02]  For more flexible typing –Type Dynamic [Abadi et al 89, Henglein 94, Thatte 90] –Soft typing [Wright and Cartwright 94]  In comparison, goal of this work is to –enforce more expressive specs –catch more bugs earlier

C. FlanaganPOPL’06: Hybrid Type Checking13  Refinement types –arbitrary (executable) refinement predicate p –  Dependent function types –equivalent to – + has type  Supports arbitrary preconditions, postconditions e.g., simple type becomes The Language 

C. FlanaganPOPL’06: Hybrid Type Checking14 Type Checking for   Type checking judgement  Consider type checking an application where  Application is well-typed iff S is a subtype of T iff which is undecidable

C. FlanaganPOPL’06: Hybrid Type Checking15 Hybrid Type Checking for   Need theorem prover for that answers –Yes, implication holds –No, implication does not hold –Maybe, implication may or may not hold  Lift to 3-valued subtyping algorithm for S <: T –Yes ) application is well-typed –No ) application is ill-typed –Maybe ) compile to  Hybrid type checking judgement

C. FlanaganPOPL’06: Hybrid Type Checking16 Casts in   Cast dynamically converts value v from type S to type T (or else fails)  Examples

C. FlanaganPOPL’06: Hybrid Type Checking17 Advantages of Hybrid Type Checking Program with precise specifications Hybrid Type Checking Algorithm ill-typed Accept Reject don’t know well-typed Accept with casts Compile-time type error: expected Int, got Bool Run-time type error: expected Digit, got 12 Run  Generated program always well-typed  Detects many simple errors detected at compile-time  Enforces all specifications –attempted violations caught, either statically or dynamically  Accepts all well-typed programs –casts (if any) never fail, compilation semantics-preserving  Supports expressive, precise specifications

C. FlanaganPOPL’06: Hybrid Type Checking18  Well-typed if  if theorem prover can prove this fact ) accept as is  Impl Example: serializeMatrix  Let  Spec  otherwise insert cast to verify type of return value

C. FlanaganPOPL’06: Hybrid Type Checking19  Pick any set of predicates D with decidable implication  Generates a language S with decidable type checking  Example –if D = { true } –then only have trivial refinement types { x:T | true } –so S is just the simply-typed lambda calculus Hybrid Type Checking  Language H  Arbitrary executable refinement predicates Static Type Checking vs.

C. FlanaganPOPL’06: Hybrid Type Checking20  Pick any set of predicates D with decidable implication  Generates a language S with decidable type checking  Example –if D = { true } –then only have trivial refinement types { x:T | true } –so S is just the simply-typed lambda calculus Hybrid Type Checking  Language H  Arbitrary executable refinement predicates Static Type Checking  Language S  Smaller set D of refinement predicates with decidable implication vs.

C. FlanaganPOPL’06: Hybrid Type Checking21 Hybrid vs static type checking on S programs  HTC can work as well as STC on S programs –essentially can use same reasoning as STC Hybrid Type Checking  Language H  Arbitrary executable refinement predicates Static Type Checking  Language S  Smaller set D of refinement predicates with decidable implication vs.

C. FlanaganPOPL’06: Hybrid Type Checking22 Hybrid vs static type checking on H programs  For any “reasonable” function erase : H ! S there exist some H program p such that HTC(p) “is better than” STC(erase(p)) –i.e., HTC(p) finds more errors statically than STC(erase(p)) or gives fewer static false alarms Hybrid Type Checking  Language H  Arbitrary executable refinement predicates Static Type Checking  Language S  Smaller set D of refinement predicates with decidable implication vs.

C. FlanaganPOPL’06: Hybrid Type Checking23 Conclusions  Expressive specifications are essential for programming –ideally should be mechanically checked –purely static checking of such specifications is undecidable  Hybrid type checking –pragmatic method for enforcing expressive specifications –synthesis of static and dynamic checking  Beyond H –should your next program checker be a Hybrid? –see hybrid imperative objects at FOOL –Sage programming language (sage.soe.ucsc.edu) Pure Type Systems meets hybrid type checking

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.