Certificates for incremental type checking

Size: px

Start display at page:

Download "Certificates for incremental type checking"

Calvin Cameron
5 years ago
Views:

1 Certificates for incremental type checking Matthias Puech 1,2 Yann Régis-Gianas 2 1 Dept. of Computer Science, University of Bologna 2 Univ. Paris Diderot, Sorbonne Paris Cité, PPS, CNRS, πr 2, INRIA June 20, 2012 PPS Groupe de travail théorie des types et réalisabilité 1 / 31

2 Introduction How to make a type checker incremental? How to trust your type checker? Using Gasp As a programmer The LF notation for derivations As a type system designer The design of Gasp Data structures Typed evaluation algorithm 2 / 31

3 Problem 1: How to make a type checker incremental? 3 / 31

4 Certificates for incremental type-checking Observations Program elaboration is more and more an interaction between the programmer and the type-checker The richer the type system is, the more expensive type-checking gets Example type inference (e.g. Haskell, unification) dependent types (conversion, esp. reflection) very large term 4 / 31

5 Certificates for incremental type-checking Observations Program elaboration is more and more an interaction between the programmer and the type-checker The richer the type system is, the more expensive type-checking gets Example type inference (e.g. Haskell, unification) dependent types (conversion, esp. reflection) very large term... but is called repeatedly with almost the same input 4 / 31

6 Certificates for incremental type-checking 5 / 31

7 Certificates for incremental type-checking 5 / 31

8 Certificates for incremental type-checking 5 / 31

9 Certificates for incremental type-checking 5 / 31

10 Certificates for incremental type-checking 5 / 31

11 Certificates for incremental type-checking 5 / 31

12 Certificates for incremental type-checking 5 / 31

13 Certificates for incremental type-checking 5 / 31

14 Certificates for incremental type-checking 5 / 31

15 Certificates for incremental type-checking 5 / 31

16 Certificates for incremental type-checking 5 / 31

17 Certificates for incremental type checking Problem How to take advantage of the knowledge from previous type-checks? Reuse already-computed results Recheck only the changed part of a program and its impact 6 / 31

18 Problem 2: How to trust your type checker? 7 / 31

19 A compiler designer s job System Z : env tm tp option set of declarative inference rules decision algorithm 8 / 31

20 A compiler designer s job System Z : env tm tp option set of declarative inference rules decision algorithm non trivial (inference, conversion... ) critical 8 / 31

21 Example: System T <: Syntax M ::= o s(m) MM λx. M rec(m, N, xy. P ) A ::= nat even odd A A Typing rules M : nat N : A rec(m, N, xy. P ) : A [ x : nat] [ y : A]. P : A M : A M : B A B 9 / 31

22 Example: System T <: Syntax M ::= o s(m) MM λx. M rec(m, N, xy. P ) A ::= nat even odd A A Typing rules M : nat N : A rec(m, N, xy. P ) : A [ x : nat] [ y : A]. P : A M : A M : B A B Not syntax directed! 9 / 31

23 Example: System T <: Typing algorithm Γ M : A B Γ N : A Γ M N : B 10 / 31

24 Example: System T <: Typing algorithm Γ M : A B Γ N : A Γ A A Γ N : A Γ M N : B 10 / 31

25 Example: System T <: Typing algorithm Γ M : nat Γ N : A Γ, x : nat, y : A P : A rec(m, N, xy. P ) : A 10 / 31

26 Example: System T <: Typing algorithm Γ M : T M Γ T M nat Γ N : T N Γ, x : nat, y : T N P : T P Γ, x : nat, y : T N T P P : T N T P Γ rec(m, N, xy. P ) : T N T P 10 / 31

27 Example: System T <: Typing algorithm Γ M : T M Γ T M nat Γ N : T N Γ, x : nat, y : T N P : T P Γ, x : nat, y : T N T P P : T N T P Γ rec(m, N, xy. P ) : T N T P Far from the declarative system Hard to prove 10 / 31

28 How to trust your typing algorithm? Option 1 Prove equivalence: Γ M = Some A iff M : A + the safest tedious proof non modular

29 How to trust your typing algorithm? Option 2 Return a System T <: derivation: Checked a posteriori: : env tm tp deriv kernel : env deriv bool only certifying (not certified) + lightweight + evident witness of well-typing (PCC,... ) 11 / 31

30 How to trust your typing algorithm? Option 2 Return a System T <: derivation: Checked a posteriori: : env tm tp deriv kernel : env deriv bool only certifying (not certified) + lightweight + evident witness of well-typing (PCC,... )... but there is more 11 / 31

31 Observation Let D = M. Let M be a slightly modified M. Then D = M is a slightly modified D. 12 / 31

32 Observation 12 / 31

33 Back to Problem 1 Problem How to take advantage of the knowledge from previous type-checks? Reuse pieces of a computed derivation D Check only the changed part (the delta) of a program M Requirements δ M M D M D M D M M : A iff (D M, δ M M ) = D M (D M, δ M M ) computes D M in less than O( M ) (ideally O( δ M M )) 13 / 31

34 Back to Problem 1 Bidirectional incremental updates Derivations Lens Programs D get M δ D put M get(d) projects derivation D to a program M put(d, δ) checks δ against D and returns D the incremental type-checker change-based approach justification for each change (D ) 13 / 31

35 Examples initial term let f x = x + 1 in f 3 / 2 14 / 31

36 Examples initial term let f x = x + 1 in f 3 / 2 easy interleave let f x = 2 * (x + 1) in f 3 / 2 14 / 31

37 Examples initial term let f x = x + 1 in f 3 / 2 easy interleave let f x = 2 * (x + 1) in f 3 / 2 env interleave let f x = (let y = true in x + 1) in f 3 / 2 14 / 31

38 Examples initial term let f x = x + 1 in f 3 / 2 easy interleave let f x = 2 * (x + 1) in f 3 / 2 env interleave let f x = (let y = true in x + 1) in f 3 / 2 type change let f x = x > 1 in f 3 / 2 14 / 31

39 In this talk... The message Generating certificates of well-typing allows type checking incrementality by sharing pieces of derivations The difficulty Proofs are higher-order objects (binders, substitution property) What delta language? What data structure for derivations? What language to write synthesis algorithm? 15 / 31

40 In this talk... The artifact Gasp: a language-independent backend to develop certifying, incremental type checkers syntax typing rules checker (untrusted) incremental checker tactic writing language version control... The open question What else can we do with it? 15 / 31

41 Introduction How to make a type checker incremental? How to trust your type checker? Using Gasp As a programmer The LF notation for derivations As a type system designer The design of Gasp Data structures Typed evaluation algorithm 16 / 31

42 Introduction How to make a type checker incremental? How to trust your type checker? Using Gasp As a programmer The LF notation for derivations As a type system designer The design of Gasp Data structures Typed evaluation algorithm 17 / 31

43 Example # Gasp / 31

44 Example Gasp 0.1 # (rec(s(o), s(o), xy. s(x))) 18 / 31

45 Example Gasp 0.1 # (rec(s(o), s(o), xy. s(x))) D 1 : s(o) : odd = o : even s(o) : odd 18 / 31

46 Example Gasp 0.1 # (rec(s(o), s(o), xy. s(x))) D 1 : s(o) : odd = o : even s(o) : odd [ x : nat] D 2 [ x : nat] : s(x) : nat = s(x) : nat 18 / 31

47 Example Gasp 0.1 # (rec(s(o), s(o), xy. s(x))) D 1 : s(o) : odd = o : even s(o) : odd [ x : nat] D 2 [ x : nat] : s(x) : nat = s(x) : nat D 3 : s(o) : nat = D 1 odd nat s(o) : nat 18 / 31

48 Example Gasp 0.1 # (rec(s(o), s(o), xy. s(x))) D 1 : s(o) : odd = o : even s(o) : odd [ x : nat] D 2 [ x : nat] : s(x) : nat = s(x) : nat D 3 : s(o) : nat = D 1 odd nat s(o) : nat [ x : nat] D 4 : rec(s(o), s(o), xy. s(x)) : nat = D 1 D 3 rec(s(o), s(o), xy. s(x)) : na D 2 18 / 31

49 Example Gasp 0.1 # (rec(s(o), s(o), xy. s(x))) D 1 : s(o) : odd = o : even s(o) : odd [ x : nat] D 2 [ x : nat] : s(x) : nat = s(x) : nat D 3 : s(o) : nat = D 1 odd nat s(o) : nat [ x : nat] D 4 : rec(s(o), s(o), xy. s(x)) : nat = D 1 D 3 rec(s(o), s(o), xy. s(x)) : na Functions M : derivation generator D 2 18 / 31

50 Example # (rec(s(s(o)), s(o), xy. s(x))) Functions M : derivation generator 19 / 31

51 Example # (rec(s(s(o)), s(o), xy. s(x))) Functions M : derivation generator 19 / 31

52 Example # (rec(s(d 1 ), D 3, xy. s(x))) Functions M : derivation generator 19 / 31

53 Example # (rec(s( D 1 ), D 3, xy. s(x))) Functions M : derivation generator D : coercion from derivation to the program it types 19 / 31

54 Example # (rec(s( D 1 ), D 3, xy. D 2 )) Functions M : derivation generator D : coercion from derivation to the program it types 19 / 31

55 Example # (rec(s( D 1 ), D 3, xy. D 2 [ x])) Functions M : derivation generator D : coercion from derivation to the program it types 19 / 31

56 Example # (rec(s( D 1 ), D 3, xy. D 2 [ x]))... (all of the above, plus:) D 5 : s(s(o)) : nat =... D 6 : rec(s(s(o)), s(o), xy. s(x)) : nat =... Functions M : derivation generator D : coercion from derivation to the program it types 19 / 31

57 Example # (rec(s( D 1 ), D 3, xy. D 2 [ x]))... (all of the above, plus:) D 5 : s(s(o)) : nat =... D 6 : rec(s(s(o)), s(o), xy. s(x)) : nat =... # (rec( D 5, D 3, xy. D 2 [D 2 [ x]])) Functions M : derivation generator D : coercion from derivation to the program it types 19 / 31

58 Methodology user inputs commands made of terms (programs), functions (, ) and contextual metavariables D i to each function A B there is an inverse B A (put output back into input) system evaluates functions to value (derivations) checks value (kernel) extracts (from context) and names all subterms to a map (repository) for future reuse: slicing 20 / 31

59 What notation for derivations? Preamble First-order vs. higher-order notations Γ, A B vs. Γ A B [ A]. B A B Explicit structural rules Handled by the notation 21 / 31

60 What notation for derivations? Preamble First-order vs. higher-order notations [ A] Γ, A B Γ A B Explicit structural rules vs.. B A B Handled by the notation Local vs. global verification D 1 A B C B C D 2 A Can locally verify rule vs. M N Need M and N 21 / 31

61 What notation for derivations? The LF notation is a higher-order, local notation for derivations (and terms). Comes with a small verification algorithm (typing) Adequacy in LF, a is a example atomic type constant syntactical category tm : family of types constant judgement is : tm tp object constant constructor or rule lam : (tm tm) tm applied object constant rule application well-typed object well-formed derivation Examples is lam : ΠA,B : ty. Πt : tm tm. (Πx : tm. is x A is (t x) B) is (lam A (λx. t x))(arr A B) is lam nat nat (λx. x) (λx h. D[x, h]) : is (lam λx. D) (arr nat nat) 21 / 31

62 What notation for derivations? Syntax K ::= Πx : A. K Kind A ::= Πx : A. A P Type family P ::= a S Atomic type M ::= λx. M F Canonical object F ::= H S Atomic object H ::= x c Head S ::= M S Spine The F are the values we want to manipulate. 21 / 31

63 What notation for derivations? Syntax K ::= Πx : A. K Kind A ::= Πx : A. A P Type family P ::= a S Atomic type M ::= λx. M F Canonical object F ::= H S Atomic object H ::= x c Head S ::= M S Spine The F are the values we want to manipulate.... what are the computations? 21 / 31

64 How to write the unsafe type checker? The computation language CL: an unsafe language to manipulate LF objects but with runtime check: each input & output of functions must be well-typed Syntax T ::= λx. T U Term U ::= F case U in Γ of C C ::= C P U Atomic term Branches P ::= H x... x Pattern 22 / 31

65 Example : ΠM : tm. ΣA : tp. ( M : A) = 23 / 31

66 Example : ΠM : tm. ΣA : tp. ( M : A) = λm. case M of 23 / 31

67 Example : ΠM : tm. ΣA : tp. ( M : A) = λm. case M of o even, o : even s(m) case M of D even, D odd, s M : odd D odd, D even, s M : even nat, D nat, D s M : nat 23 / 31

68 Example M N let A 1 B, D 1 = M in let A 2, D 2 = N in let D = A 1 A 2 in case D of A A B, D 1 D 2 M N : B D 2 D B, D 1 N : A 1 M N : B Functions : ΠA : tp. ΠB : tp. A B = / 31

69 Example λx : A. M x 23 / 31

70 Example λx : A. M let B, D = M in A B, x??? D λx. M : A B 23 / 31

71 Example λx : A. M let B, D = M[x/ A, D x ] in A B, x??? Note A, D = A, D [D x ] D λx. M : A B 23 / 31

72 Example λx : A. M let B, D in D x : ( x : A) = M[x/ A, D x ] in [D x ] D A B, λx. M : A B x??? Note A, D = A, D 23 / 31

73 Example rec(m, N, xy. P ) let A M, D M = M in let D AM = A M nat in let A N, D N = N in let A P, D P in (D x : ( x : nat), D y : ( y : A N )) = P [x/ nat, D x, y/ A N, D y ] in let A, D AN, D AP = A N A P in let, D P in (D x : ( x : nat), D y : ( y : A)) = P [x/ nat, D x, y/ A, D y ] in [D x ][D y ] D M D AM D N D AN D P M : A N : A P : A A, rec(m, N, xy. P ) : A D AP Functions : ΠA : tp. ΠB : tp. ΣC : tp. ( A C) ( B C) = / 31

74 Discussion the type of a function is a kind of contract: M : tm D : ( M : A) 24 / 31

75 Discussion the type of a function is a kind of contract: M : tm D : ( M : A) inverses used to feed output back to input, same idea as context-free typing: M ::= x M M λx : A. M {x : A} M[x/{x : A}] : B λx : A. M : A B {x : A} : A 24 / 31

76 Introduction How to make a type checker incremental? How to trust your type checker? Using Gasp As a programmer The LF notation for derivations As a type system designer The design of Gasp Data structures Typed evaluation algorithm 25 / 31

77 Sliced LF Syntax K ::= Πx : A. K Kind A ::= Πx : A. A P Type family P ::= a S Atomic type M ::= λx. M F Canonical object F ::= H S X[σ] Atomic object H ::= x c f Head S ::= M S Spine σ ::= σ, x/m Parallel substitution The X[σ] stand for open objects (CMTT). The σ close them. The f are computations to do 26 / 31

78 Data structures Signature An object language is defined by a signature: Σ ::= Σ, a : K Σ, c : A Σ, f : A = T Repository A repository is the sliced representation of an atomic object (evar_map): R : (X (Γ F : P )) X[σ] We define co(r) the operation of stripping out all metavariables 27 / 31

79 Inverse functions To each f : A = T Σ, associate a family of f n : A n = T n Project out the n-th argument of f Examples infer : ΠM : tm. ΣA : tp. is M A = T infer 0 : Π{M} : tm. (ΣA : tp. is M A) tm = λx. λy. x equal : ΠM : tm. ΠN : tm. eq M N = T equal 0 : Π{M} : tm. Π{N} : tm. eq M N tm = λm. λn. λh. m equal 1 : Π{M} : tm. Π{N} : tm. eq M N tm = λm. λn. λh. n Evaluation infer (infer 0 A, D ) = A, D equal (equal 0 D) (equal 1 D) = D 28 / 31

80 The typed evaluation algorithm In [P. & R-G., CPP 12], we define ci R (F ): evaluates functions f in F checks F, functions arguments and return (w.r.t. type of f ) slices values in R returns the enlarged R 29 / 31

81 Evaluation strategy We want strong reduction Example lam λx. f (s(x)) not a value 30 / 31

82 Evaluation strategy We want strong reduction Example lam λx. f (s(x)) not a value But not call-by-value Example (rec(s( D 1 ), D 3, xy. D 2 [ x])) 30 / 31

83 Evaluation strategy We want strong reduction Example lam λx. f (s(x)) not a value But not call-by-value Example (rec(s( D 1 ), D 3, xy. D 2 [ x])) And not call-by-name either Example (id ( D)) D 30 / 31

84 Evaluation strategy We want strong reduction Example lam λx. f (s(x)) not a value But not call-by-value Example (rec(s( D 1 ), D 3, xy. D 2 [ x])) And not call-by-name either Example (id ( D)) D 30 / 31

85 Evaluation strategy We want strong reduction Example lam λx. f (s(x)) not a value But not call-by-value Example (rec(s( D 1 ), D 3, xy. D 2 [ x])) And not call-by-name either Example (id ( D)) D Ugly solution Strong call-by-name except in function f argument position weak head call-by-name except f n 30 / 31

86 Conclusion Demo 31 / 31

MLW. Henk Barendregt and Freek Wiedijk assisted by Andrew Polonsky. March 26, Radboud University Nijmegen

MLW. Henk Barendregt and Freek Wiedijk assisted by Andrew Polonsky. March 26, Radboud University Nijmegen 1 MLW Henk Barendregt and Freek Wiedijk assisted by Andrew Polonsky Radboud University Nijmegen March 26, 2012 inductive types 2 3 inductive types = types consisting of closed terms built from constructors