1 CPS Transform for Dependent ML Hongwei Xi University of Cincinnati and Carsten Schürmann Yale University

2 Overview Motivation Program error detection at compile-time Compilation certification Dependent ML (DML) Programming Examples Theoretical Foundation CPS Transform for DML Conclusion

3 Program Error Detection Unfortunately one often pays a price for [languages which impose no disciplines of types] in the time taken to find rather inscrutable bugs — anyone who mistakenly applies CDR to an atom in LISP and finds himself absurdly adding a property list to an integer, will know the symptoms. -- Robin Milner A Theory of Type Polymorphism in Programming Therefore, a stronger type discipline allows for capturing more program errors at compile-time.

4 Some Advantages of Types Detecting program errors at compile-time Enabling compiler optimizations Facilitating program verification Using types to encode program properties Verifying the encoded properties through type- checking Serving as program documentation Unlike informal comments, types are formally verified and can thus be fully trusted

5 Compiler Correctness How can we prove the correctness of a (realistic) compiler? Verifying that the semantics of e is the same as the semantics of |e| for every program e But this simply seems too challenging (and is unlikely to be feasible) Source program e Target code | e | compilation |. ||. |

6 Compilation Certification Assume that  e  holds, i.e., e has the property  e.g., memory safety, termination, etc.  Then  e  should hold, too A compiler can be designed to produce a certificate to assert that  e  does have the property  Target code  e  :  e  holds Source program e:  e  holds compilation |. ||. |

7 Semantics-preserving Compilation e > |e|  D of e  v --> |D| of |e|  |v|  This seems unlikely to be feasible in practice

8 Type-preserving Compilation e > |e|   e:  > |e|:|  |   D of e:  ----> |D| of |e|:|  | D and |D| are both represented in LF The LF type-checker does all type-checking!

9 Limitations of (Simple) Types Not general enough Many correct programs cannot be typed For instance, downcasts are widely used in Java Not specific enough Many interesting program properties cannot be captured For instance, types in Java cannot guarantee safe array access

10 Narrowing the Gap NuPrl Coq Program Extraction Proof Synthesis ML Dependent ML

11 Some Design Decisions Practical type-checking Realistic programming features Conservative extension Pay-only-if-you-use policy

12 Ackermann Function in DML fun ack (m, n) = if m = 0 then n+1 else if n = 0 then ack (m-1, 1) else ack (m-1, ack (m, n-1)) withtype {a:nat,b:nat} int(a) * int(b) -> nat (* Note: nat = [a:int | a >=0] int(a) *)

13 Binary Search in DML fun bs (vec, key) = let fun loop (l, u) = if l > u then –1 else let val m = (l + u) / 2 val x = sub (vec, m) (* m needs to be within bounds *) in if x = key then m else if x < key then loop (m+1, u) else loop (l, m-1) end in loop (0, length (vec) – 1) end (* length: {n:nat} ‘a array(n) -> int(n) *) (* sub: {n:nat,i:nat | i ‘a *) withtype {i:int,j:int | 0 int withtype {n:nat} ‘a array(n) * ‘a -> int

14 ML 0: start point base types  ::= int | bool | (user defined datatypes) types  ::=  |       |      patterns p ::= x | c(p) | <> | match clauses ms ::= (p  e) | (p  e | ms) expressions e ::= x | f | c | if (e, e 1, e 2 ) | <> | | lam x: . e | fix f: . e | e 1 (e 2 ) | let x=e 1 in e 2 end | case e of ms values v ::= x | c | | lam x: . e context  ::=. | , x:  | , f: 

15 Integer Constraint Domain We use a for index variables index expressions i, j ::= a | c | i + j | i – j | i * j | i / j | … index propositions P, Q ::= i j | i >= j | i = j | i <> j | P  Q | P  Q index sorts  ::= int | {a :  | P } index variable contexts  ::=. | , a:  | , P index constraints  ::= P | P   |  a:  

16 Dependent Types dependent types  ::=... |  (i) |  a: .  |  a: .  For instance, int(0), bool array(16); nat = [a:int | a >= 0] int(a); {a:int | a >= 0} int list(a) -> int list(a)

17 DML 0  ML 0 + dependent types expressions e ::=... | a: .v | e[i] | | open e 1 as in e 2 end values v ::=... | a: .v | typing judgment  e 

18 Some Typing Rules  a  e   type-ilam   a  e  a   a  e  a  i   type-iapp   e  i  a  i 

19 Some Typing Rules (cont’d)  e  a  i  i   type-pack    a   e 1  a    a  x    e 2    type-open   open e 1 as in e 2 end:  

20 Some Typing Rules (cont’d)  e  bool(i)  i  e 1:  i  e 2:   type-if   if (e, e 1, e 2 ): 

21 Erasure: from DML 0 to ML 0 The erasure function erases all syntax related to type index | bool(1) | = |bool(0)| = bool | [a:int | a >= 0] int(a) | = int | {n:nat} ‘a list(n) -> ‘a list(n) | = ‘a list -> ‘a list | open e 1 as in e 2 end | = let x = |e 1 | in |e 2 | end

22 Relating DML 0 to ML 0 answer:type in DML 0 program:type in DML 0 |program|:|type| in ML 0 |answer|:|type| in ML 0 evaluation erasure Type preservation holds in DML 0 A program is already typable in ML 0 if it is typable in DML 0

23 Polymorphism Polymorphism is largely orthogonal to dependent types We have adopted a two phase type- checking algorithm

24 References and Exceptions A straightforward combination of effects with dependent types leads to unsoundness We have adopted a form of value restriction to restore the soundness

25 Quicksort in DML fun qs [] = [] | qs (x :: xs) = par (x, xs, [], []) withtype {n:nat} int list(n) -> int list(n) and par (x, [], l, g) = qs (x :: qs (g)) | par (x, y :: ys, l, g) = if y <= x then par (x, ys, y :: l, g) else par (x, ys, l, y :: g) withtype {p:nat,q:nat,r:nat} int * int list(p) * int list(q) * int list(r) -> int list(p+q+r+1)

26 CPS transformation for DML (I) Transformation on types: ||  (i) || * =  (i) ||  1 ->  2 || = ||  1  || * -> ||  2 || ||  a: .  || * =  a: . ||  || * ||  a: .  || * =  a: . ||  || * ||  || = ||  || * -> ans -> ans (* ans is some newly introduced type *)

27 CPS Transformation for DML (II) Transformation on expressions: ||c|| * = c ||x|| * = x || e x.e|| * = e x. ||e|| ||v|| = e k. k(||v|| * ) ||e 1 (e 2 )|| = e k.||e 1 ||( e x 1.||e 2 ||( e x 2. x 1 (x 2 )(k)) ||e[i]|| = e k.||e||( e x. x[i](k)) ||fix f.v|| = e k.(fix f. ||v||)(k)...

28 CPS Transformation for DML Theorem Assume D ::  |- e :  Then D can be transformed to ||D|| such that ||D|| ::  ||  || |- ||e|| : ||  ||  where  ||  ||(x) = ||  (x)|| * and ||  ||(f) = ||  (f)|| for all x,f in the domain of  This theorem can be readily encoded into LF We have done this in Twelf.

29 Contributions A CPS transform for DML The transform can be lifted to the level of typing derivation The notion of typing derivation compilation A novel approach to compilation certification in the presence of dependent types

30 End of the Talk Thank You! Questions?