1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.
-
Upload
edwin-stewart -
Category
Documents
-
view
214 -
download
1
Transcript of 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.
![Page 1: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/1.jpg)
1
Resource Bound Certification
Stephanie WeirichCornell University
Joint work with Karl Crary, CMU
![Page 2: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/2.jpg)
2
Problem
Sometimes code runs too longHow do we prevent it?
![Page 3: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/3.jpg)
3
Enforcement Methods
Run the code, and if it takes too long, kill it
Look at the code and decide how long it will take Annotations on the code can makes this
process decidable
![Page 4: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/4.jpg)
4
Dynamic Method
Can decide how long is too long on the fly (even while the code is running)Code producer does not have to write code in any particular language (or include annotations) May be expensive to enforce
![Page 5: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/5.jpg)
5
Static Method
Guarantee to the user that code will run without being prematurely terminatedMay provide faster executionCan encompass dynamic checking Static verification that the code executes
dynamic checks Makes policy enforcement part of the
model
![Page 6: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/6.jpg)
6
Annotations
What annotations can we use for execution time verification?
![Page 7: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/7.jpg)
7
Base Language
Type-Safe version of C all pointer accesses checked for NULL no pointer arithmetic safe memory-management (garbage-
collection or region-based) tagged unions
![Page 8: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/8.jpg)
8
Caveat
Most examples in this talk will look like functional programmingIntension is to verify a low-level language (such as type-safe assembly language) Don’t have to trust the compiler Hopefully annotation methodologies
are general enough that people can be clever
![Page 9: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/9.jpg)
9
Certification of Running Time
Simplification: Only count function calls and loop iterations Functions and loops annotated with the cost of execution
int add1(int x)<0> { return x+1;
}int add3(int x)<3> {
x = add1(x); x = add1(x);return add1(x);
}
![Page 10: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/10.jpg)
10
Example
Function-typed arguments can influence the running time
int foo(int f(int x)<3>)<8> { return f(1)*f(3);
}But can restrict how the code is used
foo(add1);
foo(add3);
![Page 11: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/11.jpg)
11
Abstract Time
Useful to abstract the time annotationint foo (int f(int x)<k>) <2k+2> {
return f(1) * f(3); }
foo (add1); // k=0, takes 2 steps + 1 for call
foo (add3); // k=3, takes 8 steps + 1 for call
![Page 12: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/12.jpg)
12
Static Dependent Cost
What if the time depends on a non-function argument?Essential for recursive functions
uint fact (uint n)<n>{if (n == 0) return 1;else return (fact (n-1) * n);
}Note :
Time annotation must be non-negative Ignore underflow/overflow
![Page 13: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/13.jpg)
13
Size
What if the argument is not a uint or a function?Option: Pre-defined mapping from structured data values to their “sizes”
![Page 14: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/14.jpg)
14
Example - List
struct list {const uint val;const struct list* next;
}
The size of a list is its lengthSimplifying assumption - The members of the struct are const so that we do not have to track aliasing.
![Page 15: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/15.jpg)
15
Sumf
int sumf (uint f(uint)<k>; struct list* x; int acc) <length(x)*(k+2)> {
if (x == NULL) return acc; else { int acc2 = acc + f (x->val);
struct list* x2 = x -> next;sumf (f, x2, acc2);
}}
![Page 16: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/16.jpg)
16
Calling Sumf
sumf(add3, NULL,0); // 0*(3+2) + 1
struct list* x = new { val = 5; next = NULL };
sumf(add3, x,0) // 1*(3+2) + 1
![Page 17: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/17.jpg)
17
Size
What if the time of f is dependent?uint sumf (uint f(uint y)<y>; struct list* x; uint acc) <length(x)*(??+2)> { if (x == null) return acc; else { uint acc2 = acc + f (x->val);
struct list* x2 = x -> next;sumf (f, x2, acc2);
}}
![Page 18: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/18.jpg)
18
User-defined size
Need a programming language to express the mapping between datatypes and the time to iterate over them Expressive enough to represent structured
data, and functions over that data Not so expressive that equivalence is
undecidable
Need a way to connect dynamic data with a representation in this language
![Page 19: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/19.jpg)
19
Decidable, Expressive Language
Typed-lambda calculus with products, sums and primitive recursion over inductive typesSyntax of functional programming language MLTerminology Dynamic language -- Type-safe C Static language -- this annotation
language
![Page 20: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/20.jpg)
20
Static Language
Natural numbers (of type nat) and arithmetic operations 3+4 , 5*x
Higher-order functions fn (x : nat) => (fn (y :nat) => x+y) (of type nat (nat nat) )
Tuples (3,5) : nat nat
![Page 21: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/21.jpg)
21
Static Language
Sums and recursive types notated with datatypes
datatype bool = False | True
fun not (b:bool) = case b of True => False
| False => True
![Page 22: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/22.jpg)
22
Primitive Recursion
datatypes can recursively mention name only in positive positions
datatype foo = Bar of foo | Baz of foo * foo
datatype foo = Bar of foo foo
datatype foo = Bar of (foo int) foo
![Page 23: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/23.jpg)
23
Primitive Recursion
Recursive functions over these datatypes can only call themselves on subterms of their arguments
datatype foo = Bar of foo | Baz of foo * foo
fun iter (x : foo) = case x of Bar(w) => iter(x)
| Baz(y,z) => iter(y)
![Page 24: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/24.jpg)
24
List Representation
datatype list = Null | Cons of nat * list
fun time(m : list) = case m of Nil => 0 | Cons(val, next) =>
val+2+time(next)
![Page 25: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/25.jpg)
25
Decision Procedure
We must be able to decide if two terms in the static language are equivalentAlgorithm: convert each term to a normal form and compareNeed a reduction system for terms that is confluent and strongly normalizing
![Page 26: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/26.jpg)
26
Reduction Rules
Sample Reduction rules 3 + 4 --> 7 M + 0 --> M case Ci M of
C1 x1 => N1 | C2 x2 => N2 --> Ni [M/xi]
(fun f x => M ) N --> M[N/x, (fun f x => M)/f]
![Page 27: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/27.jpg)
27
Connecting the Languages
We must be able to use this static language to describe the values of the dynamic languageUse the type system to enforce that a dynamic term matches a static description
![Page 28: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/28.jpg)
28
Singleton Types
nat represents unsigned intsConnect constants in the two languagesIf m : nat , form singleton type uint<m>
uint<3> x;
x = 3; x = 4;
![Page 29: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/29.jpg)
29
Using fact
New type of factorialuint fact(uint<m> x)<m>;
fact(3); // takes time 3+1uint<n> x;fact(x); // takes time n+1
![Page 30: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/30.jpg)
30
Pointer Types
Consider pointer types int* Either a reference to an int or null int@ Must be a reference int<0> Must be a null pointer
Want to refine the type of a variable// x has type int*if (x == NULL) { // x has type int<0>} else { // x has type int@}
![Page 31: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/31.jpg)
31
Enforcement types
Static representation of integer pointersdatatype ptr = Null | Ptrintptr(m) =
case m of Null => int<0> | Ptr => int@
If x : intptr(Ptr) then we know x is not NULL
![Page 32: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/32.jpg)
32
Refinement
// suppose x : intptr(m)if (x == NULL) {
// here we know that x : int<0> // so therefore m must be Null, or // we’d get a contradiction
} else { // know that m is Ptr}
![Page 33: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/33.jpg)
33
List Enforcement Type
datatype list = Null | Cons( nat, list)
replist(m) = case m of Null => int<0>
| Cons(val,next) => struct { const uint<val> val; const replist(next) rest }@
![Page 34: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/34.jpg)
34
Using Enforcement Types
// if x has type replist(m)if (x == NULL) { // again x : int<0> } else {
// m must be Cons (val, next) // x: {const int<val> val; // const replist(next) rest }@ }
We’ve used a comparison in the dynamic code to increase our knowledge of the static representation
![Page 35: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/35.jpg)
35
User-defined Size
Iterate over list, calculating a nat to represent execution time
fun time(m : list) = case m of Nil => 0 | Cons(val, next) =>
val+2+time(next)
![Page 36: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/36.jpg)
36
Example : Code
uint sumf (uint f(uint y)<y>; replist(m) x; uint acc) <time(m)> { if (x == null) return acc; else { // m must Cons( val, next) // call to f takes time val + 1
uint acc2 = acc + f (x->val); struct list* x2 = x -> next;
// recursive call takes time(next) + 1 sumf (f, x2, acc2);
}}
![Page 37: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/37.jpg)
37
Other Resources
“Effect notation” int f(int)<3> doesn’t generalize to resources that can be recovered (e.g. space)
Alternative: Augment the operational semantics with a virtual clock that winds down as the program executes
![Page 38: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/38.jpg)
38
Virtual Clocks
Function types specify starting and ending times (int,12) f(int, 15) starts at time 15 and
finishes at time 12
Use polymorphism to abstract starting times (int, n) f(int,n+3) runs in 3 steps - it is
equivalent to int f(int)<3>
![Page 39: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/39.jpg)
39
Recoverable Resources
Consider: (int, n+12) f (int, n+15)vs. (int, n) f (int,n+3)
If the resource is free-space: the first function may allocate as many as
15 units, as long as it releases 12 of them before returning.
The second function only requires a minimum of 3 units of free-space to execute.
![Page 40: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/40.jpg)
40
Upper Bound
Sometimes it is enough just to know an upper bound of the running time.It is an approximation to help when static analysis fails.Add the instruction waste to the language to increment the virtual clockNo run-time effect
![Page 41: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/41.jpg)
41
Waste example
bool member (int x; replist(m) w) <length(m)>{
if (w == NULL) return false;else
// m=Cons( val , next) if (x == w->val) {
waste <next>; return true; } else { return member( w->next ); }
}
![Page 42: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/42.jpg)
42
TALres
We have implemented a similar system within the Typed Assembly Language frameworkClock contained in a virtual register, decremented on backwards jumpsTAL already has a sophisticated type constructor language Added sum and inductive kinds and refinement
procedure for comparison instructions Operations on static natural numbers
![Page 43: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/43.jpg)
43
Source Language
Prototype implementation: PopCron Resembles C + timing annotations No separation between static and
dynamic languages
Compiler to TALres creates representations of datatypes
and their enforcement types
![Page 44: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/44.jpg)
44
The real details
Static and dynamic language are really two levels of the same language Static language is embedded in the dynamic
language as a language of type constructors Types of dynamic language are constants in
the static language Types of static language are referred to as
kinds
![Page 45: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/45.jpg)
45
More details
Building block for refinement is “virtual case analysis”
![Page 46: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/46.jpg)
46
Another Example
Dynamic treesunion tree {
uint Leaf;struct node Node;
}struct Node {
const tree@ left;const tree@ right;
}
Static representation
datatype tree = Leaf of nat
| Node of tree * tree
![Page 47: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/47.jpg)
47
Tree example
size (t : tree) = case t of Leaf(x) => x +1 | Node (left, right) => size(left)
+ size(right) + 2
uint sumf (uint f(uint<k>)<k>; reptree(t) t) <size(t)> {switch t {
case Leaf(x): return f(x); case Node(x):
return sumf(x.left) + sumf(x.right); }
}
![Page 48: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/48.jpg)
48
Enforcement type for trees
reptree (tree) = case tree of Leaf x =>
union { uint<x> Leaf; empty Node;} | Node (left, right) =>
union { empty Leaf; struct { const reptree(left)@ left;
const reptree(right)@ right; } Node;
}
![Page 49: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/49.jpg)
49
Virtual Case
switch t { case Leaf(x): // Suppose at runtime we could examine the
static // representation case t of
Leaf (x) => This is the only branch that could occurNode (x) =>… as here x is of type empty
![Page 50: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/50.jpg)
50
Virtual Case
switch t { case Leaf(x): // Since one branch is impossible we don’t need
to // specify it
vcase t of Leaf(x) => // binds x in following code
This case statement is virtual because we know what branch will be taken -- no run time effect
![Page 51: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/51.jpg)
51
Related Work
FX Reistad and Gifford, 94
Sized Types Hughes, Pareto, Sabry, 96 Chin Khoo, 00
PCC Necula and Lee, 97
DML Xi and Pfenning, 98
![Page 52: 1 Resource Bound Certification Stephanie Weirich Cornell University Joint work with Karl Crary, CMU.](https://reader038.fdocuments.us/reader038/viewer/2022110321/56649ce15503460f949abcc0/html5/thumbnails/52.jpg)
52
Future Work
Extension of implementation to other resources More flexible enforcement typesStronger equational logicInference and analysis in source language