View
216
Download
1
Category
Preview:
Citation preview
1
A Dependently TypedAssembly Language
Hongwei XiUniversity of Cincinnati
and
Robert HarperCarnegie Mellon University
2
Talk Overview
MotivationDTAL, a dependently typed assembly language
An introductory example Theoretical development Practical application
Conclusion
3
Compilation Certification
Transfer source-language guarantees to object-languages of interests Eliminate the “closed world” assumption
by making the transferred properties independently verifiable
Source program
e
Target code
|e|
compilation
| . |
4
Type-directed compilation
e --------------> |e| e: -----------> |e|:||
At target level: Use types to enforce program properties
of interests (e.g., memory safety) Use type-checking to verify enforced
properties
5
Proof-carrying code (PCC)
Both type safety and memory safety are expressed by first-order logic
assertions about program variables, and are checked by a verification condition
generator (VCG) and a theorem prover
Object code is certified by an explicit representation of the proof
6
Typed assembly language
(TAL)
Type safety is expressed by type annotations, and is checked by a type-checker
Memory safety is ensured by making critical instructions such as array subscripting atomicObject code requires no additional certification
7
DTAL
DTAL is designed to allow for more fine-grained control over memory safety, supporting array bound check elimination efficient representation of sum types
The design of DTAL draws on ideas from DML as the general framework in particular, the separation of type indices
from values, linked by “singleton” types
8
Xanadu
Xanadu is an imperative programming language with C/Java-like syntaxThe type system of Xanadu supports a DML-style dependent typesXanadu is currently used as a source language for generating DTAL code
9
A copy function in Xanadu
{m:nat,n:nat | m <= n}unit copy(int src[m], int dst[n]) { var: int i, len;; len = arraysize (src); [a:nat] (i: int(a)) /* loop invariant */ for (i = 0; i < len; i = i + 1) { dst[i] = src[i]; }}
10
A copy function in DTAL
copy: {m:nat,n:nat | m <= n} [r1: int array(m), r2: int array(n)] arraysize r3, r1 mov r4, 0loop: {m:nat,n:nat, i:nat | m <= n} [r1: int array(m), r2: int array(n), r3:int(m), r4:int(i)] sub r5, r4, r3 bgte r5, finish load r5, r1(r4) store r2(r4), r5 add r4, r4, 1 jmp loopfinish: [] halt
11
Integer Constraint Domain
We use a for index variables and i for integersindex expressions
x, y ::= a | i | x + y | x – y | x * y | x/ y | …index propositions
P, Q ::= x < y | x <= y | x > y | x >= y | x = y | x <> y | P Q | P Q
index sorts ::= int | {a : | P }index variable contexts ::= . | , a: | , Pindex constraints ::= P | P | a:
12
Limitations
Currently, we only handle linear constraints The constraint solver first checks the
linearity of each constraint It then uses an approach to integer
programming based on the simplex method to solve constraints
E.g., a:nat. b:nat. a * b >= 0 is rejected
13
Instructions in DTAL
values v ::= i | l | rtypes ::= | | top | int | array(x)instructions ins ::=
aop r1, r2, v | bop r, v | mov r, v |load r1, r2(v) | store r1(v), r2 |newarray[] r1, r2, r3 | jmp v | halt |arraysize r1, r2
instruction sequences I ::=jmp v | halt | ins; I
14
Programs in DTAL
regfile types R ::= {r1:1, ..., rnr:nr}
state types ::= state(.R)blocks B ::= .(R, I)label mappings ::= {l1: 1, ..., ln:
n}
programs P ::= l1:B1;...; ln:Bn
15
A typing rule
;;R |- r2: array(x) ;;R |- v: int(y) |= 0 <= y < x ;;R[r1:] |- I
-------------------------------------------- ;;R |- load r1, r2(v); I
16
Another typing rule
;;R |- v: state(’’R’) |- : ’ ; |- : ’ ;;R |= R’[][]
-------------------------------------------- ;;R |- jmp v; I
17
Entailment relation (I)
H |= hc : means that hc, a constant or a heap address, has type under the heap mapping H
The following rule (heap-array) is for typing arrays
H (h) = (hc1, ..., hcn) H |= hc1 : H |= hcn : --------------------------------------------------- H |= h : array(n)
18
Entailment relation (II)
We use R for register file
The entailment relation (H,R) |= R means that for each register ri, H |= R (i): R(i)
19
A potential problem
H (h) = (0, 0), R (1) = R (2) = h R(1) = int array(2), R(2) = nat array(2)
Note that (H, R ) |= R
If we now store a negative integer into the array pointed by r1, then the type of r2 is invalidated
20
Regularity condition
A derivation of (H, R ) |= R isregular if each heap address is associated with
at most one type, and whenever the rule (heap-array) is
applied, the type must equal the type associated with h
Regular derivations are preserved under execution
21
Soundness Theorem
Let P = (l1:B1;...; ln:Bn) and = (P). Assume |- P[well-typed] is derivable. Then the execution of P either terminates normally or continues forever.
22
Extension with sum types
choose(i; 0, ..., n-1) stands for a type which much be one of ’s, determined by the value of i0 + ... + n-1 is represented as[a:nat | a < n] (int(a) choose (a; 0, ..., n-1))
23
Generating DTAL code
For a proof of concept, we have built a compiler from Xanadu to DTAL The types for labels in DTAL code are
constructed from the type annotations in Xanadu programs
Currently, there is no formalization of the compiler
24
DTAL vs. TPCC
DTAL requires a constraint solver for handling linear constraints in TBC; but TPCC requires noneWith source language support, DTAL can handle cases that could be difficult for TPCC, which uses a synthesis approach to array bound check elimination
25
Some Related Work
Here is a list of some closely related work Dependent types in practical
programming (Xi & Pfenning) Typed assembly language (TAL)
(Morrisett et al) Proof-carrying code (Necula & Lee) TILT compiler (the Fox project at CMU) Flint compiler (Zhong Shao et al)
26
End of the Talk
Thank You! Questions?
27
Another typing rule
typing judgment: ;;R |- I
;;R |- r2:int(x) ;;R |- v:int(y) ;;R[r1:int(x+y)] |- I
----------------------------------------- ;;R |- add r1, r2, v; I
28
A copy function in DML
fun copy (src, dst) =let fun loop (i, len) = if i < len then update (dst, i, sub (src, i)) else () withtype {i:nat | i <= m} int(i) * int(m) -> unitin loop (0, length src)end
withtype {m:nat,n:nat | m <= n} ‘a array(m) * ‘a array(n) -> unit
(* length: {n:nat} ‘a array(n) -> int(n) *)
Recommended