facilitating program verification with dependent types hongwei xi boston university
Post on 20-Dec-2015
217 views
TRANSCRIPT
![Page 1: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/1.jpg)
Facilitating Program Verification with Dependent Types
Hongwei Xi
Boston University
![Page 2: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/2.jpg)
Talk Overview
Motivation Detecting program errors (at compile-time) Detecting more program errors (at compile-time)
Dependently typed programming languages Imperative: Xanadu
Programming examples Current status and future work
![Page 3: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/3.jpg)
A Wish List
We would like to have a programming language that should be simple and general support extensive error checking facilitate proofs of program properties possess correct and efficient implementation ... ...
But …
![Page 4: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/4.jpg)
Reality
Invariably, there are many conflicts among this wish list
These conflicts must be resolved with careful attention paid to the needs of the user
![Page 5: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/5.jpg)
Some Advantages of Types
Capturing errors at compile-time Enabling compiler optimizations Facilitating program verification
Using types to encode program properties and verifying the encoded properties through type-checking
Serving as program documentation Unlike informal comments, types can be fully
trusted after type-checking
![Page 6: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/6.jpg)
Limitations of (Simple) Types
Not general enough Many correct programs cannot be typed For instance, type casts are widely used in C
Not specific enough Many interesting properties cannot be captured For instance, types in Java cannot handle safe
array access
![Page 7: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/7.jpg)
Dependent Types
Dependent types are types that are more refined dependent on the values of expressions
Examples int(i): singleton type containing only integer i <int> array(n): type for integer arrays of size n
![Page 8: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/8.jpg)
Examples of Dependent Types
int(i,j) is defined as [a:int | i < a < j] int(a),that is, the sum of all types int(a) for i < a < j
int[i,j), int(i,j] , int[i,j] are defined similarly nat is defined as
[a:int | a >=0] int(a)
![Page 9: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/9.jpg)
Informal Program Comments
/* the function should not be applied toa negative integer */
int factorial (x: int) { /* defensive programming */ if (x < 0) exit(1); if (x == 0) return 1;
else return (x * factorial (x-1));}
![Page 10: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/10.jpg)
Formalizing Program Comments
{n:nat}
int factorial (x: int(n)) {
if (x == 0) return 1;else return (x * factorial (x-1));
}
Note: factorial (-1) is ill-typed and thus rejected!
![Page 11: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/11.jpg)
Informal Program Comments
/* arrays a and b are of equal size */ double dotprod (double a[], double b[]) { int i; double sum = 0.0; if (a.size != b.size) exit(1); for (i = 0; i < a.size; i = i + 1) { sum = sum + a[i] b[i]; } return sum; }
![Page 12: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/12.jpg)
Formalizing Program Comments
{n:nat}
double dotprod (a: <double> array(n), b: <double> array(n)) {
/* dotprod is assigned the following type:
{n:nat}. (<float> array(n), <float> array(n)) -> float
*/
… … …
}
![Page 13: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/13.jpg)
Xanadu
Xanadu is a dependently typed imperative programming language with C-like syntax
The type of a variable in Xanadu can change during execution
The programmer may need to provide dependent type annotations for type-checking purpose
![Page 14: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/14.jpg)
Dependent Record Types (I)
A polymorphic type for arrays:
{n:nat} <‘a> array(n) { size: int(n); data[n]: ‘a}
![Page 15: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/15.jpg)
Dependent Record Types (II)
A polymorphic type for 2-dimensional arrays:
{m:nat,n:nat} <‘a> array2(m,n) { row: int(m); col: int(n); data[m][n]: ‘a}
![Page 16: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/16.jpg)
Dependent Record Types (III)
A polymorphic type for sparse arrays:
{m:nat,n:nat} <‘a>sparseArray(m,n) { row: int(m); col: int(n); data[m]: <int[0,n) ‘a> list}
![Page 17: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/17.jpg)
A Program in Xanadu
{n:nat} unit init (int vec[n]) { var: int ind, size;; /* arraysize: {n:nat} <‘a> array(n) int(n) */ size = arraysize(vec); invariant: [i:nat] (ind: int(i)) for (ind=0; ind<size; ind=ind+1) { vec[ind] = ind; /* safe array subscripting */ }}
![Page 18: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/18.jpg)
Binary Search in Xanadu
{n:nat}int bs(key: int, vec: <int> array(n)) { var: l: int [0, n], h: int [-1, n); int m, x;; l = 0; h = vec.size - 1; while (l <= h) { m = (l + h) / 2; x = vec.data[m]; if (x < key) { l = m - 1; } else if (x > key) { h = m + 1; } else { return m; } } return –1;}
![Page 19: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/19.jpg)
Dependent Union Types
A polymorphic type for lists:
union <‘a> list with nat = { Nil(0); {n:nat} Cons(n+1) of ‘a <‘a> list(n) }
Nil: <‘a> list(0) Cons:
{n:nat} ‘a <‘a> list(n) <‘a> list(n+1)
![Page 20: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/20.jpg)
Reverse Append on Lists
(‘a) {m:nat,n:nat}<‘a> list(m+n) revApp (xs:<‘a> list(m),ys:<‘a> list(n)) {
var: ‘a x;;invariant: [m1:nat,n1:nat | m1+n1=m+n] (xs:<‘a> list(m1), ys:<‘a> list(n1))while (true) { switch (xs) { case Nil: return ys; case Cons (x, xs): ys = Cons(x, ys); } } exit; /* can never be reached */
}
![Page 21: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/21.jpg)
Constraint Generation
The following constraint is generated when the revApp example is type-checked:
m:nat,n:nat,m1:nat,n1:nat,m1+n1=m+n,a:nat,m1=a+1
implies
a+(n1+1)=m+n
![Page 22: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/22.jpg)
Current Status of Xanadu
A prototype implementation of Xanadu in Objective Caml that performs two-phase type-checking, and generates assembly level code
An interpreter for interpreting assembly level code
A variety of examples athttp://www.cs.bu.edu/~hwxi/Xanadu/Xanadu.html
![Page 23: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/23.jpg)
Conclusion (I)
It is still largely an elusive goal in practice to verify the correctness of a program
It is therefore important to identify those program properties that can be effectively verified for realistic programs
![Page 24: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/24.jpg)
Conclusion (II)
We have designed a type-theoretic approach to capturing simple arithmetic reasoning
The preliminary studies indicate that this approach allows the programmer to capture many more properties in realistic programs while retaining practical type-checking
![Page 25: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/25.jpg)
Future Work
Adding more programming features into Xanadu in particular, OO features
Certifying compilation: constructing a compiler for Xanadu that can translate dependent types from source level into bytecode level
Incorporating dependent types into (a subset of) Java and …
![Page 26: Facilitating Program Verification with Dependent Types Hongwei Xi Boston University](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d435503460f94a1f130/html5/thumbnails/26.jpg)
End of the Talk
Thank you!Questions
?