Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University."— Presentation transcript:

1 1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University

2 2 Compilation Certification Transfer source-language guarantees to object-languages of interests  Eliminate the “closed world” assumption by making the transferred properties independently verifiable Source program e Target code | e | compilation |. ||. |

3 3 Type-directed compilation e --------------> |e|   e:  -----------> |e|:|  | At target level:  Use types to enforce program properties of interests (e.g., memory safety)  Use type-checking to verify enforced properties

4 4 Proof-carrying code (PCC) Both type safety and memory safety are expressed by first-order logic assertions about program variables, and are checked by a verification condition generator (VCG) and a theorem prover Object code is certified by an explicit representation of the proof

5 5 Typed assembly language ( TAL) Type safety is expressed by type annotations, and is checked by a type-checker Memory safety is ensured by making critical instructions such as array subscripting atomic Object code requires no additional certification

6 6 DTAL DTAL is designed to allow for more fine- grained control over memory safety, supporting array bound check elimination efficient representation of sum types The design of DTAL draws on ideas from DML as the general framework in particular, the separation of type indices from values, linked by “singleton” types

7 7 Xanadu Xanadu is an imperative programming language with C/Java-like syntax The type system of Xanadu supports a DML-style dependent types Xanadu is currently used as a source language for generating DTAL code

8 8 A copy function in Xanadu {m:nat,n:nat | m <= n} unit copy(int src[m], int dst[n]) { var: int i, len;; len = arraysize (src); [a:nat] (i: int(a)) /* loop invariant */ for (i = 0; i < len; i = i + 1) { dst[i] = src[i]; }

9 9 A copy function in DTAL copy: {m:nat,n:nat | m <= n} [r1: int array(m), r2: int array(n)] arraysize r3, r1 mov r4, 0 loop: {m:nat,n:nat, i:nat | m <= n} [r1: int array(m), r2: int array(n), r3:int(m), r4:int(i)] sub r5, r4, r3 bgte r5, finish load r5, r1(r4) store r2(r4), r5 add r4, r4, 1 jmp loop finish: [] halt

10 10 Integer Constraint Domain We use a for index variables and i for integers index expressions x, y ::= a | i | x + y | x – y | x * y | x/ y | … index propositions P, Q ::= x y | x >= y | x = y | x <> y | P  Q | P  Q index sorts  ::= int | {a :  | P } index variable contexts  ::=. | , a:  | , P index constraints  ::= P | P   |  a:  

11 11 Limitations Currently, we only handle linear constraints The constraint solver first checks the linearity of each constraint It then uses an approach to integer programming based on the simplex method to solve constraints E.g.,  a:nat.  b:nat. a * b >= 0 is rejected

12 12 Instructions in DTAL values v ::= i | l | r types  ::=  |  | top | int |  array(x) instructions ins ::= aop r1, r2, v | bop r, v | mov r, v | load r1, r2(v) | store r1(v), r2 | newarray[  ] r1, r2, r3 | jmp v | halt | arraysize r1, r2 instruction sequences I ::= jmp v | halt | ins; I

13 13 Programs in DTAL regfile types R ::= {r 1 :  1,..., r nr :  nr } state types  ::= state( .R) blocks B ::= .(R, I) label mappings  ::= {l 1 :  1,..., l n :  n } programs P ::= l 1 :B 1 ;...; l n :B n

14 14 A typing rule  ;  ;R |- r2:  array(x)  ;  ;R |- v: int(y)  |= 0 <= y < x  ;  ;R[r1:  ] |- I --------------------------------------------  ;  ;R |- load r1, r2(v); I

15 15 Another typing rule  ;  ;R |- v: state(  ’  ’  R’)  |-  :  ’  ;  |-  :  ’  ;  ;R |= R’[  ][  ] --------------------------------------------  ;  ;R |- jmp v; I

16 16 Entailment relation (I) H |= hc :   means that hc, a constant or a heap address, has type  under the heap mapping H The following rule (heap-array) is for typing arrays H (h) = (hc 1,..., hc n ) H |= hc 1 :  H |= hc n :   --------------------------------------------------- H |= h :  array(n)

17 17 Entailment relation (II) We use R for register file The entailment relation ( H,R ) |= R means that for each register r i, H |= R (i): R(i)

18 18 A potential problem H (h) = (0, 0), R (1) = R (2) = h R(1) = int array(2), R(2) = nat array(2) Note that ( H, R ) |= R If we now store a negative integer into the array pointed by r 1, then the type of r 2 is invalidated

19 19 Regularity condition A derivation of ( H, R ) |= R is regular if each heap address is associated with at most one type, and whenever the rule (heap-array) is applied, the type  must equal the type associated with h Regular derivations are preserved under execution

20 20 Soundness Theorem Let P = (l 1 :B 1 ;...; l n :B n ) and  =  (P). Assume |-  P[well-typed] is derivable. Then the execution of P either terminates normally or continues forever.

21 21 Extension with sum types choose(i;  0,...,  n-1 ) stands for a type which much be one of  ’s, determined by the value of i  0 +... +  n-1 is represented as [a:nat | a < n] (int(a)  choose (a;  0,...,  n-1 ))

22 22 An example: lists List constructors: Nil: list(0) Cons: {n:nat} ‘a * list(n) -> list(n+1) The list type is represented as follows in DTAL:  t.  n:nat.    unit    t  n  where   is n=0, and   is a:nat, n=a+1

23 23 Generating DTAL code For a proof of concept, we have built a compiler from Xanadu to DTAL The types for labels in DTAL code are constructed from the type annotations in Xanadu programs Currently, there is no formalization of the compiler

24 24 DTAL vs. TPCC DTAL requires a constraint solver for handling linear constraints in TBC; but TPCC requires none We plan to translate proofs of constraints from Xanadu to DTAL to address the issue With source language support, DTAL can handle cases that could be difficult for TPCC, which uses a synthesis approach to array bound check elimination

25 25 Some Related Work Here is a list of some closely related work Dependent types in practical programming (Xi & Pfenning) Typed assembly language (TAL) (Morrisett et al) LTT, an expressive, scalable type theory for certified code (Crary and Vanderwaart) Proof-carrying code (Necula & Lee) TILT compiler (the Fox project at CMU) Flint compiler (Zhong Shao et al)

26 26 End of the Talk Thank You! Questions?

27 27 Another typing rule typing judgment:  ;  ;R |- I  ;  ;R |- r2:int(x)  ;  ;R |- v:int(y)  ;  ;R[r1:int(x+y)] |- I  -----------------------------------------  ;  ;R |- add r1, r2, v; I

28 28 A copy function in DML fun copy (src, dst) = let fun loop (i, len) = if i unit in loop (0, length src) end withtype {m:nat,n:nat | m unit (* length: {n:nat} ‘a array(n) -> int(n) *)

Download ppt "1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
CS3012: Formal Languages and Compilers Static Analysis the last of the analysis phases of compilation type checking - is an operator applied to an incompatible.

CS3012: Formal Languages and Compilers Static Analysis the last of the analysis phases of compilation type checking - is an operator applied to an incompatible.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Target Code Generation

Target Code Generation
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Intermediate Code Generation

Intermediate Code Generation
Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>

Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
The Semantic Soundness of a Type System for Interprocedural Register Allocation and Constructor Registration Torben Amtoft Kansas State University joint.

The Semantic Soundness of a Type System for Interprocedural Register Allocation and Constructor Registration Torben Amtoft Kansas State University joint.
Dependent Types in Practical Programming Hongwei Xi Oregon Graduate Institute.

Dependent Types in Practical Programming Hongwei Xi Oregon Graduate Institute.
Carnegie Mellon Lecture 7 Instruction Scheduling I. Basic Block Scheduling II.Global Scheduling (for Non-Numeric Code) Reading: Chapter 10.3 – 10.4 M.

Carnegie Mellon Lecture 7 Instruction Scheduling I. Basic Block Scheduling II.Global Scheduling (for Non-Numeric Code) Reading: Chapter 10.3 – 10.4 M.
Chapter 8 ICS 412. Code Generation Final phase of a compiler construction. It generates executable code for a target machine. A compiler may instead generate.

Chapter 8 ICS 412. Code Generation Final phase of a compiler construction. It generates executable code for a target machine. A compiler may instead generate.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.

Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.
Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.

Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.
1 Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.

1 Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
534 534534 534 534 534 534 A Type Theory for Memory Allocation and Data Layout Leaf Petersen, Robert Harper, Karl Crary and Frank Pfenning Carnegie Mellon.

A Type Theory for Memory Allocation and Data Layout Leaf Petersen, Robert Harper, Karl Crary and Frank Pfenning Carnegie Mellon.

Similar presentations

Ads by Google