May 1, 2003May 1, Imperative Programming with Dependent Types Hongwei Xi Boston University

May 1, Talk Overview Motivation – Detecting program errors (at compile-time) – Generating proof-carrying code Programming language Xanadu: – Design decisions – Dependent type system – Programming examples Current Status and Future Work

May 1, A Wish List We would like to have a programming language that should – be simple and general – support extensive error checking – facilitate proofs of program properties – possess correct and efficient implementation –......

May 1, Reality Invariably, there are many conflicts among this wish list These conflicts must be resolved with careful attention to the needs of the user

May 1, Advantages of Types Capturing errors at compile-time Enabling compiler optimizations Facilitating program verification – Using types to encode program properties and verifying the encoded properties through type- checking Serving as program documentation – Unlike informal comments, types can be fully trusted after type-checking

May 1, Limitations of (Simple) Types Not general enough – Many correct programs cannot be typed – For instance, type casts are widely used in C Not specific enough – Many interesting properties cannot be captured – For instance, types in Java cannot handle safe array access

May 1, Narrowing the Gap NuPrl Coq Program ExtractionProof synthesis ML with Dependent Types ML

May 1, Informal Program Comments /* the function should not be applied to a negative integer */ int factorial (x: int) { if (x < 0) exit(1); /*defensive programming*/ if (x == 0) return 1; else return (x * factorial (x-1)); }

May 1, Formalizing Program Comments {n:nat} int factorial (x: int(n)) { if (x == 0) return 1; else return (x * factorial (x-1)); } Note: factorial (-1) is ill-typed and rejected!

May 1, Informal Program Comments /* arrays a and b are of equal size */ float dotprod (float a[], float b[]) { int i; float sum = 0.0; if (a.size != b.size) exit(1); for (i = 0; i < a.size; i = i + 1) { sum = sum + a[i] * b[i]; } return sum; }

May 1, Formalizing Program Comments {n:nat} float dotprod (a: array(n), b: array(n)) { /* dotprod is assigned the following type: {n:nat}. ( array(n), array(n)) -> float */ /* function body */ … … … }

May 1, Dependent Types Dependent types are types that are – more refined – dependent on the values of expressions Examples – int(i): singleton type containing only integer i – array(n): type for integer arrays of size n

May 1, Type System Design A practically useful type system should be – Scalable – Applicable – Comprehensible – Unobtrusive – Flexible

May 1, Xanadu Xanadu is a dependently typed imperative programming language with C-like syntax The type of a variable in Xanadu can change during execution The programmer may need to provide dependent type annotations for type- checking purpose

May 1, Early Design Decisions Practical type-checking Realistic programming features Conservative extension Pay-only-if-you-use policy

May 1, Examples of Dependent Types (I) int(a): singleton types containing the only integer equal to a, where a ranges over all integers array(a): types for arrays of size a in which all elements are of type ‘a, where ‘a ranges over all natural numbers

May 1, Examples of Dependent Types (II) int(i,j) is defined as [a:int | i < a < j] int(a), that is, the sum of all types int(a) for i < a < j int[i,j), int(i,j], int[i,j] are defined similarly nat is defined as [a:int | a >=0] int(a)

May 1, A Xanadu Program {n:nat} unit init (int vec[n]) { var: int ind, size;; /* arraysize: {n:nat} array(n) -> int(n) */ size = arraysize(vec); invariant: [i:nat] (ind: int(i)) for (ind=0; ind<size; ind=ind+1){ vec[ind] = ind; }

May 1, A Slight Variation {n:nat} unit init (int vec[n]) { var: nat ind, size;; /* arraysize: {n:nat} array(n)-> int(n) */ size = arraysize(vec); for (ind=0; ind<size; ind=ind+1){ vec[ind] = ind; }

May 1, Dependent Record Types A polymorphic type for arrays {n:nat} array(n) { size: int(n); data[n]: ‘a }

May 1, Binary Search in Xanadu {n:nat} int bs(key: int, vec: array(n)) { var: l: int [0, n], h: int [-1, n); int m, x;; l = 0; h = vec.size - 1; while (l <= h) { m = (l + h) / 2; x = vec.data[m]; if (x < key) { l = m - 1; } else if (x > key) { h = m + 1; } else { return m; } } return –1; }

May 1, Dependent Record Types A polymorphic type for 2-dimensional arrays: {m:nat,n:nat} array2(m,n) { row: int(m); col: int(n); data[m][n]: ‘a }

May 1, Dependent Record Types A polymorphic type for sparse arrays: {m:nat,n:nat} sparseArray(m,n) { row: int(m); col: int(n); data[m]: list }

May 1, Dependent Union Types A polymorphic type for lists: union list with nat = { Nil(0); {n:nat} Cons(n+1) of ‘a * list(n) } Nil: list(0) Cons: {n:nat}‘a * list(n)-> list(n+1)

May 1, Dependent Union Types A polymorphic type for binary trees: union tree with (nat,nat) = { E(0,0); {sl:nat,sr:nat,hl:nat,hr:nat} B(sl+sr+1,1+max(hl,hr)) of tree(sl,hl) * ‘a * tree(sr,hr) }

May 1, Typing Judgment in Xanadu  e   Context for index variables   Context for variables with mutable types   Context for variables with fixed types

May 1, Typing Assignment       e            x  e      x  unit 

May 1, Typing Loop          e 1      bool  i     i    e       unit             while  e   e     i    unit 

May 1, Reverse Append in Xanadu (‘a) {m:nat,n:nat} list(m+n) revApp (xs: list(m),ys: list(n)) { var: ‘a x;; invariant: [m1:nat,n1:nat | m1+n1=m+n] (xs: list(m1), ys: list(n1)) while (true) { switch (xs) { case Nil: return ys; case Cons (x, xs): ys = Cons(x, ys); } } exit; /* can never be reached */ }

May 1, Constraint Generation in Type- checking The following integer constraint is generated when the revApp example is type-checked: m:nat,n:nat, m1:nat,n1:nat, m1+n1=m+n, a:nat, m1=a+1 |= a+(n1+1)=m+n

May 1, Current Status of Xanadu A prototype implementation of Xanadu in Objective Caml that – performs two-phase type-checking, and – generates assembly level code An interpreter for interpreting assembly level code A variety of examples at

May 1, Conclusion (I) It is still largely an elusive goal in practice to verify the correctness of a program It is therefore important to identify those program properties that can be effectively verified for realistic programs

May 1, Conclusion (II) We have designed a type-theoretic approach to capturing simple arithmetic reasoning The preliminary studies indicate that this approach allows the programmer to capture many more properties in realistic programs while retaining practical type-checking

May 1, Future Work Adding more programming features into Xanadu – in particular, OO features Type-preserving compilation: constructing a compiler for Xanadu that can translate dependent types from source level into bytecode level Incorporating dependent types into (a subset of) Java and …

May 1, Related Work Here is a (partial) list of some closely related work. – Dependent types in practical programming (Xi & Pfenning) – TALC Compiler (Morrisett et al at Cornell) – Safe C compiler (Necula & Lee) – TIL compiler (the Fox project at CMU)