1

A Dependently TypedAssembly Language

Hongwei XiUniversity of Cincinnati

and

Robert HarperCarnegie Mellon University

2

Talk Overview

MotivationDTAL, a dependently typed assembly language

An introductory example Theoretical development Practical application

Conclusion

3

Compilation Certification

Transfer source-language guarantees to object-languages of interests Eliminate the “closed world” assumption

by making the transferred properties independently verifiable

Source program

e

Target code

|e|

compilation

| . |

4

Type-directed compilation

e --------------> |e| e: -----------> |e|:||

At target level: Use types to enforce program properties

of interests (e.g., memory safety) Use type-checking to verify enforced

properties

5

Proof-carrying code (PCC)

Both type safety and memory safety are expressed by first-order logic

assertions about program variables, and are checked by a verification condition

generator (VCG) and a theorem prover

Object code is certified by an explicit representation of the proof

6

Typed assembly language

(TAL)

Type safety is expressed by type annotations, and is checked by a type-checker

Memory safety is ensured by making critical instructions such as array subscripting atomicObject code requires no additional certification

7

DTAL

DTAL is designed to allow for more fine-grained control over memory safety, supporting array bound check elimination efficient representation of sum types

The design of DTAL draws on ideas from DML as the general framework in particular, the separation of type indices

from values, linked by “singleton” types

8

Xanadu

Xanadu is an imperative programming language with C/Java-like syntaxThe type system of Xanadu supports a DML-style dependent typesXanadu is currently used as a source language for generating DTAL code

9

A copy function in Xanadu

{m:nat,n:nat | m <= n}unit copy(int src[m], int dst[n]) { var: int i, len;; len = arraysize (src); [a:nat] (i: int(a)) /* loop invariant */ for (i = 0; i < len; i = i + 1) { dst[i] = src[i]; }}

10

A copy function in DTAL

copy: {m:nat,n:nat | m <= n} [r1: int array(m), r2: int array(n)] arraysize r3, r1 mov r4, 0loop: {m:nat,n:nat, i:nat | m <= n} [r1: int array(m), r2: int array(n), r3:int(m), r4:int(i)] sub r5, r4, r3 bgte r5, finish load r5, r1(r4) store r2(r4), r5 add r4, r4, 1 jmp loopfinish: [] halt

11

Integer Constraint Domain

We use a for index variables and i for integersindex expressions

x, y ::= a | i | x + y | x – y | x * y | x/ y | …index propositions

P, Q ::= x < y | x <= y | x > y | x >= y | x = y | x <> y | P Q | P Q

index sorts ::= int | {a : | P }index variable contexts ::= . | , a: | , Pindex constraints ::= P | P | a:

12

Limitations

Currently, we only handle linear constraints The constraint solver first checks the

linearity of each constraint It then uses an approach to integer

programming based on the simplex method to solve constraints

E.g., a:nat. b:nat. a * b >= 0 is rejected

13

Instructions in DTAL

values v ::= i | l | rtypes ::= | | top | int | array(x)instructions ins ::=

aop r1, r2, v | bop r, v | mov r, v |load r1, r2(v) | store r1(v), r2 |newarray[] r1, r2, r3 | jmp v | halt |arraysize r1, r2

instruction sequences I ::=jmp v | halt | ins; I

14

Programs in DTAL

regfile types R ::= {r1:1, ..., rnr:nr}

state types ::= state(.R)blocks B ::= .(R, I)label mappings ::= {l1: 1, ..., ln:

n}

programs P ::= l1:B1;...; ln:Bn

15

A typing rule

;;R |- r2: array(x) ;;R |- v: int(y) |= 0 <= y < x ;;R[r1:] |- I

-------------------------------------------- ;;R |- load r1, r2(v); I

16

Another typing rule

;;R |- v: state(’’R’) |- : ’ ; |- : ’ ;;R |= R’[][]

-------------------------------------------- ;;R |- jmp v; I

17

Entailment relation (I)

H |= hc : means that hc, a constant or a heap address, has type under the heap mapping H

The following rule (heap-array) is for typing arrays

H (h) = (hc1, ..., hcn) H |= hc1 : H |= hcn : --------------------------------------------------- H |= h : array(n)

18

Entailment relation (II)

We use R for register file

The entailment relation (H,R) |= R means that for each register ri, H |= R (i): R(i)

19

A potential problem

H (h) = (0, 0), R (1) = R (2) = h R(1) = int array(2), R(2) = nat array(2)

Note that (H, R ) |= R

If we now store a negative integer into the array pointed by r1, then the type of r2 is invalidated

20

Regularity condition

A derivation of (H, R ) |= R isregular if each heap address is associated with

at most one type, and whenever the rule (heap-array) is

applied, the type must equal the type associated with h

Regular derivations are preserved under execution

21

Soundness Theorem

Let P = (l1:B1;...; ln:Bn) and = (P). Assume |- P[well-typed] is derivable. Then the execution of P either terminates normally or continues forever.

22

Extension with sum types

choose(i; 0, ..., n-1) stands for a type which much be one of ’s, determined by the value of i0 + ... + n-1 is represented as[a:nat | a < n] (int(a) choose (a; 0, ..., n-1))

23

Generating DTAL code

For a proof of concept, we have built a compiler from Xanadu to DTAL The types for labels in DTAL code are

constructed from the type annotations in Xanadu programs

Currently, there is no formalization of the compiler

24

DTAL vs. TPCC

DTAL requires a constraint solver for handling linear constraints in TBC; but TPCC requires noneWith source language support, DTAL can handle cases that could be difficult for TPCC, which uses a synthesis approach to array bound check elimination

25

Some Related Work

Here is a list of some closely related work Dependent types in practical

programming (Xi & Pfenning) Typed assembly language (TAL)

(Morrisett et al) Proof-carrying code (Necula & Lee) TILT compiler (the Fox project at CMU) Flint compiler (Zhong Shao et al)

26

End of the Talk

Thank You! Questions?

27

Another typing rule

typing judgment: ;;R |- I

;;R |- r2:int(x) ;;R |- v:int(y) ;;R[r1:int(x+y)] |- I

----------------------------------------- ;;R |- add r1, r2, v; I

28

A copy function in DML

fun copy (src, dst) =let fun loop (i, len) = if i < len then update (dst, i, sub (src, i)) else () withtype {i:nat | i <= m} int(i) * int(m) -> unitin loop (0, length src)end

withtype {m:nat,n:nat | m <= n} ‘a array(m) * ‘a array(n) -> unit

(* length: {n:nat} ‘a array(n) -> int(n) *)