A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.

Download Report

Transcript A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University. 

A Dependently Typed
Assembly Language
Hongwei Xi
University of Cincinnati
and
Robert Harper
Carnegie Mellon University
1
Compilation Certification
Source program
e

compilation
Target code
|.|
|e|
Transfer source-language guarantees to
object-languages of interests
 Eliminate the “closed world” assumption by
making the transferred properties
independently verifiable
2
Type-directed compilation
e --------------> |e|


e:t -----------> |e|:|t|
At target level:
 Use types to enforce program properties
of interests (e.g., memory safety)
 Use type-checking to verify enforced
properties
3
Proof-carrying code (PCC)
Both type safety and memory safety


are expressed by first-order logic
assertions about program variables, and
are checked by a verification condition
generator (VCG) and a theorem prover
Object code is certified by an
explicit representation of the proof
4
Typed assembly language (TAL)
Type safety


is expressed by type annotations, and
is checked by a type-checker
Memory safety is ensured by making
critical instructions such as array
subscripting atomic
Object code requires no additional
certification
5
DTAL
DTAL is designed to allow for more finegrained control over memory safety,
supporting


array bound check elimination
efficient representation of sum types
The design of DTAL draws on ideas from
DML as the general framework

in particular, the separation of type indices
from values, linked by “singleton” types
6
Xanadu
Xanadu is an imperative programming
language with C/Java-like syntax
The type system of Xanadu supports
a DML-style dependent types
Xanadu is currently used as a source
language for generating DTAL code
7
A copy function in Xanadu
{m:nat,n:nat | m <= n}
unit copy(int src[m], int dst[n]) {
var: int i, len;;
len = arraysize (src);
[a:nat] (i: int(a)) /* loop invariant */
for (i = 0; i < len; i = i + 1) {
dst[i] = src[i];
}
}
8
A copy function in DTAL
copy: {m:nat,n:nat | m <= n} [r1: int array(m), r2: int array(n)]
arraysize r3, r1
mov r4, 0
loop: {m:nat,n:nat, i:nat | m <= n}
[r1: int array(m), r2: int array(n), r3:int(m), r4:int(i)]
sub r5, r4, r3
bgte r5, finish
load r5, r1(r4)
store r2(r4), r5
add r4, r4, 1
jmp loop
finish: []
halt
9
Integer Constraint Domain
We use a for index variables and i for integers
index expressions
x, y ::= a | i | x + y | x – y | x * y | x/ y | …
index propositions
P, Q ::= x < y | x <= y | x > y | x >= y | x = y | x <> y |
PQ|PQ
index sorts g ::= int | {a : g | P }
index variable contexts f ::= . | f, a: g | f, P
index constraints F ::= P | P  F | a: g. F
10
Limitations
Currently, we only handle linear
constraints



The constraint solver first checks the
linearity of each constraint
It then uses an approach to integer
programming based on the simplex
method to solve constraints
E.g., a:nat. b:nat. a * b >= 0 is rejected
11
Instructions in DTAL
values v ::= i | l | r
types t ::= a | s | top | int | t array(x)
instructions ins ::=
aop r1, r2, v | bop r, v | mov r, v |
load r1, r2(v) | store r1(v), r2 |
newarray[t] r1, r2, r3 | jmp v | halt |
arraysize r1, r2
instruction sequences I ::=
jmp v | halt | ins; I
12
Programs in DTAL
regfile types R ::= {r1:t1, ..., rnr:tnr}
state types s ::= state(lD.lf.R)
blocks B ::= lD.lf.(R, I)
label mappings L ::= {l1: s1, ..., ln: sn}
programs P ::= l1:B1;...; ln:Bn
13
A typing rule
f;D;R |- r2: t array(x) f;D;R |- v: int(y)
f |= 0 <= y < x
f;D;R[r1:t] |- I
-------------------------------------------f;D;R |- load r1, r2(v); I
14
Another typing rule
f;D;R |- v: state(lf’.lD’.R’)
f |-  : f’
f; D |- Q : D’
f;D;R |= R’[][Q]
-------------------------------------------f;D;R |- jmp v; I
15
Entailment relation (I)
H |= hc : t means that hc, a constant or a heap
address, has type t under the heap mapping H
The following rule (heap-array) is for typing arrays
H (h) = (hc1, ..., hcn) H |= hc1 : t ... H |= hcn : t
--------------------------------------------------H |= h : t array(n)
16
Entailment relation (II)
We use R for register file
The entailment relation (H,R) |= R
means that for each register ri,
H |= R (i): R(i)
17
A potential problem
H (h) = (0, 0), R (1) = R (2) = h
R(1) = int array(2), R(2) = nat array(2)
Note that (H, R ) |= R
If we now store a negative integer
into the array pointed by r1, then the
type of r2 is invalidated
18
Regularity condition
A derivation of (H, R ) |= R is
regular if


each heap address is associated with at
most one type, and
whenever the rule (heap-array) is
applied, the type t must equal the type
associated with h
Regular derivations are preserved
under execution
19
Soundness Theorem
Let P = (l1:B1;...; ln:Bn) and L= L(P).
Assume |-L P[well-typed] is derivable.
Then the execution of P either
terminates normally or continues
forever.
20
Extension with sum types
choose(i; t0, ..., tn-1) stands for a type
which much be one of t’s, determined
by the value of i
t0 + ... + tn-1 is represented as
[a:nat | a < n] (int(a) * choose (a; t0, ..., tn-1))
21
An example: lists
List constructors:
Nil: <‘a> list(0)
Cons: {n:nat} ‘a * <‘a> list(n) -> <‘a> list(n+1)
The list type is represented as follows in DTAL:
mt.La.P n:nat.($f1.unit)+($f2.a * (a)t(n)),
where f1 is n=0, and f2 is a:nat, n=a+1
22
Generating DTAL code
For a proof of concept, we have built
a compiler from Xanadu to DTAL


The types for labels in DTAL code are
constructed from the type annotations
in Xanadu programs
Currently, there is no formalization of
the compiler
23
DTAL vs. TPCC
DTAL requires a constraint solver for
handling linear constraints in TBC; but
TPCC requires none

We plan to translate proofs of constraints from
Xanadu to DTAL to address the issue
With source language support, DTAL can
handle cases that could be difficult for
TPCC, which uses a synthesis approach to
array bound check elimination
24
Some Related Work
Here is a list of some closely related work






Dependent types in practical programming (Xi & Pfenning)
Typed assembly language (TAL) (Morrisett et al)
LTT, an expressive, scalable type theory for certified
code (Crary and Vanderwaart)
Proof-carrying code (Necula & Lee)
TILT compiler (the Fox project at CMU)
Flint compiler (Zhong Shao et al)
25
End of the Talk
Thank You!
Questions?
26
Another typing rule
typing judgment: f;D;R |- I
f;D;R |- r2:int(x) f;D;R |- v:int(y)
f;D;R[r1:int(x+y)] |- I
----------------------------------------f;D;R |- add r1, r2, v; I
27
A copy function in DML
fun copy (src, dst) =
let
fun loop (i, len) =
if i < len then update (dst, i, sub (src, i)) else ()
withtype {i:nat | i <= m} int(i) * int(m) -> unit
in
loop (0, length src)
end
withtype {m:nat,n:nat | m <= n} ‘a array(m) * ‘a array(n) -> unit
(* length: {n:nat} ‘a array(n) -> int(n) *)
28