Dependent Types in Practical Programming Hongwei Xi Oregon Graduate Institute

Motivation: Narrowing the Huge Gap NuPrl Coq Program ExtractionProof synthesis ML with Dependent Types ML

Some Key Issues in Language Design Program error detection Program verification Large scale programming Program documentation Efficient implementation

Some key features in SML Rich programming constructs Imperative features Advanced type system Sophisticated module system

zip: dynamic safety datatype ‘a list = nil | :: ‘a * ‘a list exception UnequalLengths fun(‘a, ‘b) zip(nil, nil) = nil | zip(x :: xs, y :: ys) = (x, y) :: zip(xs, ys) | zip(x :: xs, nil) = raise UnequalLengths | zip(nil, y :: ys) = raise UnequalLengths

An Example of Dependent Types We refine the datatype ‘a list : typeref ‘a list of nat with nil <| ‘a list(0) | :: ’a list(n+1) Some explanation –nil is a list of length 0 –:: yields a list of length n+1 when given an element of type ‘a and a list of length n

zip: static safety fun(‘a, ‘b) zip(nil, nil) = nil | zip(x :: xs, y :: ys) = (x, y) :: zip(xs,ys) (* | zip(x :: xs, nil) = raise UnequalLengths | zip(nil, y :: ys) = raise UnequalLengths *) where zip ‘a * ‘b list(n)

zip: An Elaborated Version fun(‘a, ‘b) zip[0](nil, nil) = nil | zip[n+1](x :: xs, y :: ys) =(x, y) :: zip[n](xs,ys) where zip ‘a * ‘b list(n)

Array bounds Checking Array bounds checking refers to determining whether the value of an expression is within the bounds of an array when it is used to index the array. Pascal, Ada, Modula-3, SML, Java are among the programming languages which require that all bounds violations be captured. C and C++ are not. However, array bounds checking can be expensive. FoxNet (SML): up to 30% loss of throughput SPIN kernel (Modula-3): significant performance loss

Array Bounds Check Elimination Some previous approaches: –Synthesizing loop invariants (Suzuki & Ishihata): too expensive in practice to be applicable –Flow analysis (Gupta; Kolte & Wolfe): totally automatic but sensitive to program structures and not thorough A recent approach: –Safe C compiler (Necula and Lee): relatively simple language constructs A serious drawback: no or little feedback

Some Built-in Dependent Types int(i) stands for the singleton type which contains only integer i. bool(b) stands for the singleton type which contains only boolean b. ‘a array(n) stands for the type of arrays of size n whose elements are of type ‘a.

Dependent Types of Some Built-in Functions assert sub <| {size:nat}{index:nat | index < size} ‘a array(size) * int(index) -> ‘a This implies that sub can only be applied to an array of size size and an integer of value index such that 0 <= index < size holds. Other array operations such as update can be typed similarly.

Dot Product: A version in DML fun{n:nat} dotprod v1 v2 = let fun loop(i, n, result) = if i = n then result else loop(i+1, n, result+sub(v1,i)*sub(v2,i)) where loop int in loop (0, length v1, 0) end where dotprod int array(n) -> int

Dot Product: A Version in de Caml let dotprod v1 v2 = begin let result = ref 0 in for i = 0 to vect_length v1 - 1 do result := result + v1..(i) * v2..(i) done; !result end withtype {n:nat} int vect(n) -> int vect(n) -> int ;; (* for example: dotprod [|1;2;3|] [|1;2;3|] = 1*1 + 2*2 + 3*3 = 14 *)

Dependently Typed Assembly Language We aim for passing dependent types from source level to assembly level. This is inspired and/or supported by –TIL compiler (Fox project at CMU) –RML compiler (Tolmach and Oliva) –Proof-carrying code (Necula and Lee) –Typed Assembly Language (Morrisett et al)

Some Advantages of DTAL Providing invaluable support for compiler writers (Tolmach and Oliva; Morrisett et al) Producing memory safety proofs for proof- carrying code An alternative to proof-carrying code Aggressive compiler optimization

bcopy: A Version in de Caml let bcopy (src, dst) = let length = vect_length src in for n = 0 to length - 1 do dst..(n) <- src..(n) done withtype {i:nat}{j:nat | i <= j} ‘a vect(i) * ‘a vect(j) -> unit ;;

bcopy: A Version in DTAL bcopy: {i:nat}{j:nat | i<=j} [r1: int(i), r2: int array(i), r3: int array(j)] mov r4, 0 // set the count to be 0 jmp loop // start the loop loop: {i:nat}{j:nat | i<=j}{k:nat} [r1: int(i), r2: int array(i), r3: int array(j), r4: int(k)] sub r5, r4, r1 beq r5, finish // r4 = r1 and done load r5, r2(r4) // r5 <- r2(r4) store r3(r4), r5 // r3(r4) <- r5 add r4, r4, 1 // r4 <- r4 + 1 jmp loop // loop again finish:[] halt

Proof Generation for Proof-Carrying Code Code Proof Poof-Carrying Code Unpacking Verifying Executing Memory Safety Termination

A Similar Scenario NuPrl proof Proof verification Program extraction Code-carrying proof?

Significant Features of DML Exhibiting convincing signs of a practical programming language –Theoretical fundation –Prototype implementation and evaluation Enhancing both code safety and code efficiency Generating DTAL (ongoing research)

Current Status and Future Direction We have finished the following. –Theoretical development of DML –A prototype implementation of DML –A prototype implementation of DTAL We are working on the following. –Writing a DML front-end for Caml-light (de Caml) –Designing a dependently typed assembly language We intend to do the following. –Dependent types for (a subset of) Java!