Presentation is loading. Please wait.

Presentation is loading. Please wait.

Facilitating Program Verification with Dependent Types Hongwei Xi Boston University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Facilitating Program Verification with Dependent Types Hongwei Xi Boston University."— Presentation transcript:

1 Facilitating Program Verification with Dependent Types Hongwei Xi Boston University

2 Talk Overview Motivation Detecting program errors (at compile-time) Detecting more program errors (at compile-time) Dependently typed programming languages Imperative: Xanadu Programming examples Current status and future work

3 A Wish List We would like to have a programming language that should be simple and general support extensive error checking facilitate proofs of program properties possess correct and efficient implementation...... But …

4 Reality Invariably, there are many conflicts among this wish list These conflicts must be resolved with careful attention paid to the needs of the user

5 Some Advantages of Types Capturing errors at compile-time Enabling compiler optimizations Facilitating program verification Using types to encode program properties and verifying the encoded properties through type- checking Serving as program documentation Unlike informal comments, types can be fully trusted after type-checking

6 Limitations of (Simple) Types Not general enough Many correct programs cannot be typed For instance, type casts are widely used in C Not specific enough Many interesting properties cannot be captured For instance, types in Java cannot handle safe array access

7 Dependent Types Dependent types are types that are more refined dependent on the values of expressions Examples int(i): singleton type containing only integer i array(n): type for integer arrays of size n

8 Examples of Dependent Types int(i,j) is defined as [a:int | i < a < j] int(a), that is, the sum of all types int(a) for i < a < j int[i,j), int(i,j], int[i,j] are defined similarly nat is defined as [a:int | a >=0] int(a)

9 Informal Program Comments /* the function should not be applied to a negative integer */ int factorial (x: int) { /* defensive programming */ if (x < 0) exit(1); if (x == 0) return 1; else return (x * factorial (x-1)); }

10 Formalizing Program Comments {n:nat} int factorial (x: int(n)) { if (x == 0) return 1; else return (x * factorial (x-1)); } Note: factorial (-1) is ill-typed and thus rejected!

11 Informal Program Comments /* arrays a and b are of equal size */ double dotprod (double a[], double b[]) { int i; double sum = 0.0; if (a.size != b.size) exit(1); for (i = 0; i < a.size; i = i + 1) { sum = sum + a[i]  b[i]; } return sum; }

12 Formalizing Program Comments {n:nat} double dotprod (a: array(n), b: array(n)) { /* dotprod is assigned the following type: {n:nat}. ( array(n), array(n)) -> float */ … … … }

13 Xanadu Xanadu is a dependently typed imperative programming language with C-like syntax The type of a variable in Xanadu can change during execution The programmer may need to provide dependent type annotations for type-checking purpose

14 Dependent Record Types (I) A polymorphic type for arrays: {n:nat} array(n) { size: int(n); data[n]: ‘a }

15 Dependent Record Types (II) A polymorphic type for 2-dimensional arrays: {m:nat,n:nat} array2(m,n) { row: int(m); col: int(n); data[m][n]: ‘a }

16 Dependent Record Types (III) A polymorphic type for sparse arrays: {m:nat,n:nat} sparseArray(m,n) { row: int(m); col: int(n); data[m]: list }

17 A Program in Xanadu {n:nat} unit init (int vec[n]) { var: int ind, size;; /* arraysize: {n:nat} array(n)  int(n) */ size = arraysize(vec); invariant: [i:nat] (ind: int(i)) for (ind=0; ind<size; ind=ind+1) { vec[ind] = ind; /* safe array subscripting */ }

18 Binary Search in Xanadu {n:nat} int bs(key: int, vec: array(n)) { var: l: int [0, n], h: int [-1, n); int m, x;; l = 0; h = vec.size - 1; while (l <= h) { m = (l + h) / 2; x = vec.data[m]; if (x < key) { l = m - 1; } else if (x > key) { h = m + 1; } else { return m; } } return –1; }

19 Dependent Union Types A polymorphic type for lists: union list with nat = { Nil(0); {n:nat} Cons(n+1) of ‘a  list(n) } Nil: list(0) Cons: {n:nat} ‘a  list(n)  list(n+1)

20 Reverse Append on Lists (‘a) {m:nat,n:nat} list(m+n) revApp (xs: list(m),ys: list(n)) { var: ‘a x;; invariant: [m1:nat,n1:nat | m1+n1=m+n] (xs: list(m1), ys: list(n1)) while (true) { switch (xs) { case Nil: return ys; case Cons (x, xs): ys = Cons(x, ys); } } exit; /* can never be reached */ }

21 Constraint Generation The following constraint is generated when the revApp example is type-checked: m:nat,n:nat,m1:nat,n1:nat,m1+n1=m+n,a:nat,m1=a+1 implies a+(n1+1)=m+n

22 Current Status of Xanadu A prototype implementation of Xanadu in Objective Caml that performs two-phase type-checking, and generates assembly level code An interpreter for interpreting assembly level code A variety of examples at http://www.cs.bu.edu/~hwxi/Xanadu/Xanadu.html

23 Conclusion (I) It is still largely an elusive goal in practice to verify the correctness of a program It is therefore important to identify those program properties that can be effectively verified for realistic programs

24 Conclusion (II) We have designed a type-theoretic approach to capturing simple arithmetic reasoning The preliminary studies indicate that this approach allows the programmer to capture many more properties in realistic programs while retaining practical type-checking

25 Future Work Adding more programming features into Xanadu in particular, OO features Certifying compilation: constructing a compiler for Xanadu that can translate dependent types from source level into bytecode level Incorporating dependent types into (a subset of) Java and …

26 End of the Talk Thank you! Questions?

Download ppt "Facilitating Program Verification with Dependent Types Hongwei Xi Boston University."

Similar presentations

Sml2java a source to source translator Justin Koser, Haakon Larsen, Jeffrey Vaughan PLI 2003 DP-COOL.

Sml2java a source to source translator Justin Koser, Haakon Larsen, Jeffrey Vaughan PLI 2003 DP-COOL.
Intermediate Code Generation

Intermediate Code Generation
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>

Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>
Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.

Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.
Dependent Types in Practical Programming Hongwei Xi Oregon Graduate Institute.

Dependent Types in Practical Programming Hongwei Xi Oregon Graduate Institute.
Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.

Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.

Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Lecture 2 Introduction to C Programming

Lecture 2 Introduction to C Programming
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
Compiler Construction

Compiler Construction
1 CPS Transform for Dependent ML Hongwei Xi University of Cincinnati and Carsten Schürmann Yale University.

1 CPS Transform for Dependent ML Hongwei Xi University of Cincinnati and Carsten Schürmann Yale University.
Software Engineering and Design Principles Chapter 1.

Software Engineering and Design Principles Chapter 1.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 5 Types Types are the leaven of computer programming;

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 5 Types Types are the leaven of computer programming;
Dependently Typed Pattern Matching Hongwei Xi Boston University.

Dependently Typed Pattern Matching Hongwei Xi Boston University.
May 1, 2003May 1, 2003 1 Imperative Programming with Dependent Types Hongwei Xi Boston University.

May 1, 2003May 1, Imperative Programming with Dependent Types Hongwei Xi Boston University.
1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.

1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.

Similar presentations

Ads by Google