Type Soundness and Race Freedom for Mezzo
|
|
- Elinor Rogers
- 5 years ago
- Views:
Transcription
1 Type Soundness and Race Freedom for Mezzo Thibaut Balabonski François Pottier Jonathan Protzenko INRIA FLOPS / 42
2 Mezzo in a few words Mezzo is a high-level programming language, equipped with: algebraic data types; first-class functions; garbage collection; mutable state; shared-memory concurrency Its static discipline is based on permissions 2 / 42
3 Permissions by example val r1 = newref () (* ref () *) 3 / 42
4 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) 3 / 42
5 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) (* ref () * r2 = r1 *) 3 / 42
6 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) 3 / 42
7 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) val x2 =!r2 + 1 (* ref int * r2 = r1 * int *) 3 / 42
8 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) val x2 =!r2 + 1 (* ref int * r2 = r1 * int *) val p = (r1, r2) (* ref int * r2 = r1 * int * (=r1, =r2) *) 3 / 42
9 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) val x2 =!r2 + 1 (* ref int * r2 = r1 * int *) val p = (r1, r2) (* ref int * r2 = r1 * int * (=r1, =r2) *) val () = assert (ref int, ref int) (* REJECTED *) 3 / 42
10 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) val x2 =!r2 + 1 (* ref int * r2 = r1 * int *) val p = (r1, r2) (* ref int * r2 = r1 * int * (=r1, =r2) *) val () = assert (ref int, ref int) (* REJECTED *) val () = assert (r: ref int, =r) (* ACCEPTED *) 3 / 42
11 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) val x2 =!r2 + 1 (* ref int * r2 = r1 * int *) val p = (r1, r2) (* ref int * r2 = r1 * int * (=r1, =r2) *) val () = assert (ref int, ref int) (* REJECTED *) val () = assert (r: ref int, =r) (* ACCEPTED *) val () = assert (=r, r: ref int) (* ACCEPTED *)
12 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 (* ref () * =r1 *) Why do this? (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) val x2 =!r2 + 1 (* ref int * r2 = r1 * int *) val p = (r1, r2) (* ref int * r2 = r1 * int * (=r1, =r2) *) val () = assert (ref int, ref int) (* REJECTED *) val () = assert (r: ref int, =r) (* ACCEPTED *) val () = assert (=r, r: ref int) (* ACCEPTED *)
13 Permissions by example val r1 = newref () (* ref () *) val r2 = r1 For fun and (* ref () * =r1 *) profit, of course! Why do this? (* ref () * r2 = r1 *) val () = r1 := 0 (* ref int * r2 = r1 *) val x2 =!r2 + 1 (* ref int * r2 = r1 * int *) val p = (r1, r2) (* ref int * r2 = r1 * int * (=r1, =r2) *) val () = assert (ref int, ref int) (* REJECTED *) val () = assert (r: ref int, =r) (* ACCEPTED *) val () = assert (=r, r: ref int) (* ACCEPTED *) 3 / 42
14 Motivation Imagine an imperative implementation of sets: val make: [a] () -> set a val insert: [a] (set a, consumes a) -> () val merge: [a] (set a, consumes set a) -> () 4 / 42
15 Motivation Imagine an imperative implementation of sets: val make: [a] () -> set a val insert: [a] (set a, consumes a) -> () val merge: [a] (set a, consumes set a) -> () Then, let s = make() in produces set t 4 / 42
16 Motivation Imagine an imperative implementation of sets: val make: [a] () -> set a val insert: [a] (set a, consumes a) -> () val merge: [a] (set a, consumes set a) -> () Then, let s = make() in produces set t cannot do merge(s, s); 4 / 42
17 Motivation Imagine an imperative implementation of sets: val make: [a] () -> set a val insert: [a] (set a, consumes a) -> () val merge: [a] (set a, consumes set a) -> () Then, let s = make() in produces set t cannot do merge(s, s); cannot do merge(s1, s2); insert(s2, x); 4 / 42
18 Motivation Imagine an imperative implementation of sets: val make: [a] () -> set a val insert: [a] (set a, consumes a) -> () val merge: [a] (set a, consumes set a) -> () Then, let s = make() in produces set t cannot do merge(s, s); cannot do merge(s1, s2); insert(s2, x); cannot do insert(s, x1) and insert(s, x2) in independent threads 4 / 42
19 Motivation Imagine an imperative implementation of sets: val make: [a] () -> set a val insert: [a] (set a, consumes a) -> () val merge: [a] (set a, consumes set a) -> () Then, error in sequential code: let s = make() in produces set t protocol violation cannot do merge(s, s); cannot do merge(s1, s2); insert(s2, x); cannot do insert(s, x1) and insert(s, x2) in independent threads 4 / 42
20 Motivation Imagine an imperative implementation of sets: val make: [a] () -> set a val insert: [a] (set a, consumes a) -> () val merge: [a] (set a, consumes set a) -> () Then, error in concurrent code: let s = make() in produces set t data race cannot do merge(s, s); cannot do merge(s1, s2); insert(s2, x); cannot do insert(s, x1) and insert(s, x2) in independent threads 4 / 42
21 Permissions, in a nutshell Like a program logic, Mezzo's static discipline is flow-sensitive A current (set of) permission(s) exists at each program point Different permissions exist at different points There is no such thing as the type of a variable A permission has layout and ownership readings A permission is either duplicable or affine 5 / 42
22 What this talk is not about The paper and talk do not discuss: algebraic data types, which describe tree-shaped data, (static) regions, which can describe non-tree-shaped data, adoption & abandon, a dynamic alternative to regions, and much more (ICFP 2013) 6 / 42
23 Algebraic data types data list a = Nil Cons { head: a; tail: list a } data mutable mlist a = MNil Censored MCons { head: a; tail: mlist a } 7 / 42
24 Melding mutable lists val rec meld_aux [a] (xs: MCons { head: a; tail: mlist a }, consumes ys: mlist a) : () = match xstail with MNil -> xstail <- ys MCons -> end Censored meld_aux (xstail, ys) 8 / 42
25 Concatenating immutable lists val rec append_aux [a] (consumes ( dst: MCons { head: a; tail: () }, xs: list a, ys: list a )) : ( list a) = match xs with Cons -> let dst' = MCons { head = xshead; tail = () } in dsttail <- dst'; Nil -> tag of dst <- Cons; append_aux (dst', xstail, ys) dsttail <- ys; tag of dst <- Cons end Censored 9 / 42
26 Regions abstract region val newregion: () -> region abstract rref (rho : value) a fact duplicable (rref rho a) val newrref: (consumes x: a region) -> rref rho a val get: (r: rref rho a duplicable a region) -> a Censored val set: (r: rref rho a, consumes x: a region) -> () 10 / 42
27 Adoption and abandon val dfs [a] (g: graph a, f: a -> ()) : () = let s = stack::new groots in stack::work (s, fun (n: dynamic graph a * stack dynamic) : () = take n from g; if not nvisited then begin nvisited <- true; ) end; f ncontent; stack::push (nneighbors, s) give n to g Censored 11 / 42
28 What this talk is about So, what are the paper and talk about? extend Mezzo with threads and locks; describe a modular, machine-checked proof of type soundness; data race freedom 12 / 42
29 Outline Threads, data races, and locks (by example) Mezzo's architecture The kernel and its proof (glimpses) Conclusion 13 / 42
30 A data race open thread val r = newref 0 val f ( ref int ) : () = r :=!r + 1 val () = spawn f ; spawn f 14 / 42
31 A data race open thread val r = newref 0 val f ( ref int ) : () = r :=!r + 1 val () = spawn f ; spawn f f requires ref int and gives it back 14 / 42
32 A data race open thread val r = newref 0 val f ( ref int ) : () = r :=!r + 1 val () = spawn f ; spawn f spawn f requires ref int and does NOT give it back 14 / 42
33 A data race open thread val r = newref 0 val f ( ref int ) : () = r :=!r + 1 val () = spawn f ; spawn f TYPE ERROR! (in fact, this code is racy) 14 / 42
34 Introducing synchronization open thread open lock val r = newref 0 val l : lock ref int) = new() val f ( ) : () = acquire l; r :=!r + 1; release l val () = spawn f ; spawn f 15 / 42
35 Introducing synchronization open thread open lock val r = newref 0 val l : lock ref int) = new() val f ( ) : () = acquire l; r :=!r + 1; release l val () = spawn f ; spawn f this consumes ref int the lock now mediates access to it 15 / 42
36 Introducing synchronization open thread open lock val r = newref 0 val l : lock ref int) = new() val f ( ) : () = acquire l; r :=!r + 1; release l val () = spawn f ; spawn f f requires no permission lock () is duplicable 15 / 42
37 Introducing synchronization open thread open lock val r = newref 0 val l : lock ref int) = new() val f ( ) : () = acquire l; r :=!r + 1; release l val () = spawn f ; spawn f acquiring the lock produces ref int 15 / 42
38 Introducing synchronization open thread open lock val r = newref 0 val l : lock ref int) = new() val f ( ) : () = acquire l; r :=!r + 1; release l val () = spawn f ; spawn f ref int allows updating r 15 / 42
39 Introducing synchronization open thread open lock val r = newref 0 val l : lock ref int) = new() val f ( ) : () = acquire l; r :=!r + 1; release l val () = spawn f ; spawn f releasing the lock consumes ref int 15 / 42
40 Introducing synchronization open thread open lock val r = newref 0 val l : lock ref int) = new() val f ( ) : () = acquire l; r :=!r + 1; release l val () = spawn f ; spawn f WELL-TYPED! (yup, this code is race free) 15 / 42
41 Abstracting synchronization (* A second-order function *) val hide : [a, b, s : perm ] ( f : (consumes a s) -> b consumes s ) -> (consumes a) -> b 16 / 42
42 Abstracting synchronization (* A second-order function *) val hide : [a, b, s : perm ] ( f : (consumes a s) -> b consumes s ) -> (consumes a) -> b hide is polymorphic in s eg, ref int 16 / 42
43 Abstracting synchronization (* A second-order function *) val hide : [a, b, s : perm ] ( f : (consumes a s) -> b consumes s ) -> (consumes a) -> b hide takes a function f which has a side effect on s 16 / 42
44 Abstracting synchronization (* A second-order function *) val hide : [a, b, s : perm ] ( f : (consumes a s) -> b consumes s ) -> (consumes a) -> b hide consumes s which becomes owned by the lock 16 / 42
45 Abstracting synchronization (* A second-order function *) val hide : [a, b, s : perm ] ( f : (consumes a s) -> b consumes s ) -> (consumes a) -> b hide produces a new function which has no advertised effect 16 / 42
46 A synchronization pattern open lock val hide [a, b, s : perm] ( f : (consumes a s) -> b consumes s ) : (consumes a) -> b = let l : lock s = new () in fun (consumes x : a) : b = acquire l; let y = f x in release l; y 17 / 42
47 Introducing synchronization, revisited open thread open hide val r = newref 0 val f ( ref int) : () = r :=!r + 1 val f = hide f val () = spawn f; spawn f 18 / 42
48 Introducing synchronization, revisited open thread open hide val r = newref 0 val f ( ref int) : () = r :=!r + 1 val f = hide f val () = spawn f; spawn f ref int 18 / 42
49 Introducing synchronization, revisited open thread open hide val r = newref 0 val f ( ref int) : () = r :=!r + 1 val f = hide f val () = spawn f; spawn f ref int ( ref int) -> () 18 / 42
50 Introducing synchronization, revisited open thread open hide val r = newref 0 val f ( ref int) : () = r :=!r + 1 val f = hide f val () = spawn f; spawn f () -> () 18 / 42
51 Introducing synchronization, revisited open thread open hide val r = newref 0 val f ( ref int) : () = r :=!r + 1 val f = hide f val () = spawn f; spawn f WELL-TYPED! (yup, this code is race free) 18 / 42
52 Outline Threads, data races, and locks (by example) Mezzo's architecture The kernel and its proof (glimpses) Conclusion 19 / 42
53 What is Mezzo? A kernel: a λ-calculus with threads; affine, polymorphic, value-dependent, with type erasure Several extensions: mutable state: references; hidden state: locks; dynamic ownership control: adoption and abandon All machine-checked in Coq (14KLOC) 20 / 42
54 Modularity We wish to prove that well-typed programs: do not go wrong; are data-race free This is trivial - true of all programs - in the kernel calculus! Subject reduction and progress are non-trivial results We set up their proof so that it is robust in the face of extensions 21 / 42
55 Modularity We parameterize the kernel with: a type of machine states s; a type of instrumented states R, or resources; which must form a monotonic separation algebra; a correspondence relation, s R Subject reduction and progress hold for all such parameters 22 / 42
56 Pseudo-Modularity The kernel is not parameterized wrt the extensions We add the extensions, one after another, on top of the kernel So, the Coq code is monolithic Fortunately, each extension is (morally) independent of the others; the key statements do not change with extensions; only new proof cases appear 23 / 42
57 Outline Threads, data races, and locks (by example) Mezzo's architecture The kernel and its proof (glimpses) Conclusion 24 / 42
58 Values and terms A fairly unremarkable untyped λ-calculus with threads κ ::= value term soup (Kinds) v ::= x λxt (Values) t ::= v v ṫ spawn v v (Terms) 25 / 42
59 Operational semantics initial configuration new configuration s / (λxt) v s / [v/x]t s / E[t] s / E[t ] if s / t s / t s / thread (t) s / thread (t ) if s / t s / t s / t 1 t 2 s / t 1 t 2 if s / t 1 s / t 1 s / t 1 t 2 s / t 1 t 2 if s / t 2 s / t 2 s / thread (D[spawn v 1 v 2 ]) s / thread (D[()]) thread (v 1 v 2 ) 26 / 42
60 Operational semantics an abstract notion of machine state initial configuration new configuration s / (λxt) v s / [v/x]t s / E[t] s / E[t ] if s / t s / t s / thread (t) s / thread (t ) if s / t s / t s / t 1 t 2 s / t 1 t 2 if s / t 1 s / t 1 s / t 1 t 2 s / t 1 t 2 if s / t 2 s / t 2 s / thread (D[spawn v 1 v 2 ]) s / thread (D[()]) thread (v 1 v 2 ) 26 / 42
61 Types and permissions κ ::= type perm (Kinds) T, U ::= x =v T T (T P) (Types) x : κt x : κt P, Q ::= x T empty P P (Permissions) x : κp x : κp duplicable θ θ ::= T P 27 / 42
62 The typing judgement A traditional type system uses a list Γ of type assumptions: Γ t : T Mezzo splits it into a list K of kind assumptions and a permission P: K, P t : T This can be read like a Hoare triple: K { P} t { T} 28 / 42
63 The typing judgement A typing judgement about a running program (or thread) depends on a resource R: R, K, P t : T R is the thread's partial, instrumented view of the machine state 29 / 42
64 Resources A resource is: partial: a resource could be, say, a heap fragment; instrumented: a resource could record whether each location is mutable or immutable 30 / 42
65 Resources A resource is: partial: a resource could be, say, a heap fragment; instrumented: a resource could record whether each location is mutable or immutable At this stage, though, resources are abstract What properties must we require of them? 30 / 42
66 Monotonic separation algebra R R 1 R 2 R R 1 R 2 resource eg, an instrumented heap fragment maps every address to, N, X v, or D v conjunction eg, requires separation at mutable addresses requires agreement at immutable addresses duplicable core eg, throws away mutable addresses keeps immutable addresses tolerable interference (rely) eg, allows memory allocation 31 / 42
67 Working with abstract resources Star is commutative and associative R 1 R 2 ok implies R 1 ok R R = R R 1 R 2 = R and R ok imply R 1 = R R R = R implies R = R R R = R R R R 1 ok and R 1 R 2 imply R 2 ok R 1 R 2 implies R 1 R 2 rely preserves splits: R 1 R 2 R R 1 R 2 ok R 1R 2, R 1 R 2 = R R 1 R 1 R 2 R 2 32 / 42
68 A small set of typing rules Singleton R; K; P v : =v Frame R; K; P t : T R; K; P Q t : T Q Function R; K, x : value; P T t : U R; K; (duplicable P) P λxt : T U ForallIntro t is harmless R; K, x : κ; P t : T R; K; x : κp t : x : κt ExistsIntro R; K; P v : [U/x]T R; K; P v : x : κt Cut R 2 ; K; P 1 P 2 t : T R 1 ; K P 1 R 1 R 2 ; K; P 2 t : T ExistsElim R; K, x : κ; P t : T R; K; x : κp t : T SubLeft K P 1 P 2 R; K; P 1 t : T R; K; P 2 t : T SubRight R; K; P t : T 1 K T 1 T 2 R; K; P t : T 2 Application R; K; Q t : T R; K; T U) Q v t : U Spawn R; K; (v T U) (v T) spawn v 1 v 2 : 33 / 42
69 Selected typing rules The kernel typing rules manipulate R abstractly R ; K, x : value; P T t : U R; K; (duplicable P) P λxt : T U R 2 ; K; P 1 P 2 t : T R 1 ; K P 1 R 1 R 2 ; K; P 2 t : T 34 / 42
70 Selected typing rules The kernel typing rules manipulate R abstractly R ; K, x : value; P T t : U R; K; (duplicable P) P λxt : T U cannot capture an arbitrary resource R can capture its duplicable core R R 2 ; K; P 1 P 2 t : T R 1 ; K P 1 R 1 R 2 ; K; P 2 t : T 34 / 42
71 Selected typing rules The kernel typing rules manipulate R abstractly R R 2 ; K; P 1 P 2 t : T ; K, x : value; P T t : U R 1 ; K P 1 R; K; (duplicable P) P λxt : T U R 1 R 2 ; K; P 2 t : T if a typing rule has two premises then R must be split between them 34 / 42
72 Subject reduction Lemma (SR, preliminary form) R 2 R 2 s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 35 / 42
73 Subject reduction one thread takes a step Lemma (SR, preliminary form) R 2 R 2 s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 35 / 42
74 Subject reduction Lemma (SR, preliminary form) R 2 R 2 this thread's view is R 1 the other threads' view is R 1 s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 35 / 42
75 Subject reduction Lemma (SR, preliminary form) R 2 R 2 this thread is well-typed under its view s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 35 / 42
76 Subject reduction Lemma (SR, preliminary form) R 2 R 2 s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 this thread's view and the other threads' view evolve 35 / 42
77 Subject reduction Lemma (SR, preliminary form) R 2 R 2 s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 the new machine state agrees with the new views 35 / 42
78 Subject reduction Lemma (SR, preliminary form) R 2 R 2 s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 the thread remains well-typed under its view 35 / 42
79 Subject reduction Lemma (SR, preliminary form) R 2 R 2 s 1 / t 1 s 2 / t 2 s 1 R 1 R 1 R 1 ; ; empty t 1 : T s 2 R 2 R 2 R 2 ; ; empty t 2 : T R 1 R 2 the interference inflicted on the other threads is tolerable 35 / 42
80 Subject reduction Theorem (Subject Reduction) Reduction preserves well-typedness c 1 c 2 c 1 c 2 36 / 42
81 Progress A configuration c is acceptable if every thread: has reached an answer; or is able to make one step; or (after introducing locks) is waiting on a locked lock Theorem (Progress) Every well-typed configuration is acceptable 37 / 42
82 Data race freedom Cannot be stated for the kernel We introduce references first There, writing requires an exclusive access right Hence, it is easy to prove that: Theorem A well-typed program cannot exhibit a data race 38 / 42
83 Outline Threads, data races, and locks (by example) Mezzo's architecture The kernel and its proof (glimpses) Conclusion 39 / 42
84 Related work Alias Types Separation Logic L 3 (And a lot more) Views (Dinsdale-Young et al, 2013) are particularly relevant extensible framework; monolithic machine state, composable views, agreement; while-language instead of a λ-calculus 40 / 42
85 A few lessons The good old syntactic approach to type soundness works Formalization helps clarify and simplify A lot In the end, it is just affine λ-calculus 41 / 42
86 Thank you More information in the paper and online: Try it out! 42 / 42
87 Road map weakening affinity duplication substitution stability classification decomposition type soundness subject reduction progress soundness of subsumption canonicalization 1 / 7
88 Dealing with binding In Coq, we use only one syntactic category Well-kindedness distinguishes values, terms, types, etc avoids a quadratic number of substitution functions! makes it easy to deal with dependency Binding encoded via de Bruijn indices Re-usable library, dblib The main hygiene lemmas have >90 cases and 4-line proofs 2 / 7
89 Algebraic data types data list a = Nil Cons { head: a; tail: list a } data mutable mlist a = MNil MCons { head: a; tail: mlist a } 3 / 7
90 Melding mutable lists val rec meld_aux [a] (xs: MCons { head: a; tail: mlist a }, consumes ys: mlist a) : () = match xstail with MNil -> xstail <- ys MCons -> meld_aux (xstail, ys) end 4 / 7
91 Concatenating immutable lists val rec append_aux [a] (consumes ( dst: MCons { head: a; tail: () }, xs: list a, ys: list a )) : ( list a) = match xs with Cons -> let dst' = MCons { head = xshead; tail = () } in dsttail <- dst'; tag of dst <- Cons; append_aux (dst', xstail, ys) Nil -> dsttail <- ys; tag of dst <- Cons end 5 / 7
92 Regions abstract region val newregion: () -> region abstract rref (rho : value) a fact duplicable (rref rho a) val newrref: (consumes x: a region) -> rref rho a val get: (r: rref rho a duplicable a region) -> a val set: (r: rref rho a, consumes x: a region) -> () 6 / 7
93 Adoption and abandon val dfs [a] (g: graph a, f: a -> ()) : () = let s = stack::new groots in stack::work (s, fun (n: dynamic graph a * stack dynamic) : () = take n from g; if not nvisited then begin nvisited <- true; f ncontent; stack::push (nneighbors, s) end; give n to g ) 7 / 7
The theory of Mezzo. François Pottier. IHP, April 2014 INRIA
The theory of Mezzo François Pottier INRIA IHP, April 2014 1 / 94 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin. 2 / 94 Outline Introduction The
More informationThe practice of Mezzo
The practice of Mezzo François Pottier INRIA IHP, April 2014 1 / 83 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin 2 / 83 Overview Two lectures
More informationAn overview of Mezzo
An overview of Mezzo François Pottier INRIA Bertinoro, June 2015 1 / 91 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin 2 / 91 What is Mezzo? An
More informationThe Mezzo case. Jonathan Protzenko. François Pottier FSFMA'13. Why design a new programming language?
Why design a new programming language? The Mezzo case François Pottier francois.pottier@inria.fr Jonathan Protzenko jonathan.protzenko@inria.fr INRIA FSFMA'13 Jonathan Protzenko (INRIA) The Mezzo language
More informationJonathan Protzenko (INRIA)
Mezzo a typed language for safe and effectful concurrent programs Jonathan Protzenko (INRIA) jonathan.protzenko@inria.fr Jonathan Protzenko INRIA Mezzo: the defense Sept. 29th, 2014 1 / 59 This defense:
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationHiding local state in direct style: a higher-order anti-frame rule
1 / 65 Hiding local state in direct style: a higher-order anti-frame rule François Pottier January 28th, 2008 2 / 65 Contents Introduction Basics of the type system A higher-order anti-frame rule Applications
More informationMutable References. Chapter 1
Chapter 1 Mutable References In the (typed or untyped) λ-calculus, or in pure functional languages, a variable is immutable in that once bound to a value as the result of a substitution, its contents never
More informationFrom IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich
From IMP to Java Andreas Lochbihler ETH Zurich parts based on work by Gerwin Klein and Tobias Nipkow 2015-07-14 1 Subtyping 2 Objects and Inheritance 3 Multithreading 1 Subtyping 2 Objects and Inheritance
More informationRely-Guarantee References for Refinement Types over Aliased Mutable Data
Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 23 x:ref
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationMutation. COS 326 David Walker Princeton University
Mutation COS 326 David Walker Princeton University Mutation? 2 Thus far We have considered the (almost) purely functional subset of Ocaml. We ve had a few side effects: printing & raising exceptions. Two
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationCombining Programming with Theorem Proving
Combining Programming with Theorem Proving Chiyan Chen and Hongwei Xi Boston University Programming with Theorem Proving p.1/27 Motivation for the Research To support advanced type systems for practical
More informationRustBelt: Securing the Foundations of the Rust Programming Language
RustBelt: Securing the Foundations of the Rust Programming Language Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, Derek Dreyer POPL 2018 in Los Angeles, USA Max Planck Institute for Software Systems
More informationLecture 6: Sequential Sorting
15-150 Lecture 6: Sequential Sorting Lecture by Dan Licata February 2, 2012 Today s lecture is about sorting. Along the way, we ll learn about divide and conquer algorithms, the tree method, and complete
More informationProgram logics for relaxed consistency
Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014 Outline Part I. Weak memory models 1. Intro
More informationCS131 Typed Lambda Calculus Worksheet Due Thursday, April 19th
CS131 Typed Lambda Calculus Worksheet Due Thursday, April 19th Name: CAS ID (e.g., abc01234@pomona.edu): I encourage you to collaborate. collaborations below. Please record your Each question is worth
More informationTYPE INFERENCE. François Pottier. The Programming Languages Mentoring ICFP August 30, 2015
TYPE INFERENCE François Pottier The Programming Languages Mentoring Workshop @ ICFP August 30, 2015 What is type inference? What is the type of this OCaml function? let f verbose msg = if verbose then
More informationProgramming Languages Lecture 15: Recursive Types & Subtyping
CSE 230: Winter 2008 Principles of Programming Languages Lecture 15: Recursive Types & Subtyping Ranjit Jhala UC San Diego News? Formalize first-order type systems Simple types (integers and booleans)
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers Pointers and
More informationHoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic
Introduction Hoare logic Lecture 5: Introduction to separation logic In the previous lectures, we have considered a language, WHILE, where mutability only concerned program variables. Jean Pichon-Pharabod
More informationRely-Guarantee Protocols for Safe Interference over Shared Memory
Rely-Guarantee Protocols for Safe Interference over Shared Memory Thesis Defense Filipe Militão December 15, 2015. Co-advised by Jonathan Aldrich (CMU) and Luís Caires (UNL). Software Defects Our over
More informationHoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE, where
More informationChapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes
Chapter 13: Reference Why reference Typing Evaluation Store Typings Safety Notes References Computational Effects Also known as side effects. A function or expression is said to have a side effect if,
More informationProgramming Languages Lecture 14: Sum, Product, Recursive Types
CSE 230: Winter 200 Principles of Programming Languages Lecture 4: Sum, Product, Recursive Types The end is nigh HW 3 No HW 4 (= Final) Project (Meeting + Talk) Ranjit Jhala UC San Diego Recap Goal: Relate
More informationVerified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017
Verified Characteristic Formulae for CakeML Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017 Goal: write programs in a high-level (ML-style) language, prove them correct interactively,
More informationCSE-321 Programming Languages 2010 Final
Name: Hemos ID: CSE-321 Programming Languages 2010 Final Prob 1 Prob 2 Prob 3 Prob 4 Prob 5 Prob 6 Total Score Max 18 28 16 12 36 40 150 There are six problems on 16 pages, including two work sheets, in
More informationStatic and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012
Static and User-Extensible Proof Checking Antonis Stampoulis Zhong Shao Yale University POPL 2012 Proof assistants are becoming popular in our community CompCert [Leroy et al.] sel4 [Klein et al.] Four-color
More informationWitnessing Purity, Constancy and Mutability APLAS Ben Lippmeier Australian National University 2009/12/14
Witnessing Purity, Constancy and Mutability APLAS 2009 Ben Lippmeier Australian National University 2009/12/14 The hidden cost of state monads map :: (a -> b) -> List a -> List b map f xs = case xs of
More informationCMSC 336: Type Systems for Programming Languages Lecture 5: Simply Typed Lambda Calculus Acar & Ahmed January 24, 2008
CMSC 336: Type Systems for Programming Languages Lecture 5: Simply Typed Lambda Calculus Acar & Ahmed January 24, 2008 Contents 1 Solution to the Exercise 1 1.1 Semantics for lambda calculus.......................
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationStatic Lock Capabilities for Deadlock-Freedom
Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu University of Washington TLDI, January 28, 2012 Joint work with Michael D. Ernst and Dan Grossman Colin S. Gordon
More informationSemantic Subtyping. Alain Frisch (ENS Paris) Giuseppe Castagna (ENS Paris) Véronique Benzaken (LRI U Paris Sud)
Semantic Subtyping Alain Frisch (ENS Paris) Giuseppe Castagna (ENS Paris) Véronique Benzaken (LRI U Paris Sud) http://www.cduce.org/ Semantic Subtyping - Groupe de travail BD LRI p.1/28 CDuce A functional
More informationOn the Expressiveness of Polyadicity in Higher-Order Process Calculi
On the Expressiveness of Polyadicity in Higher-Order Process Calculi Ivan Lanese, Jorge A. Pérez, Davide Sangiorgi (Univ. di Bologna) Alan Schmitt (INRIA Grenoble - Rhône Alpes) ICTCS 09 Cremona, September
More informationType Systems Winter Semester 2006
Type Systems Winter Semester 2006 Week 9 December 13 December 13, 2006 - version 1.0 Plan PREVIOUSLY: unit, sequencing, let, pairs, sums TODAY: 1. recursion 2. state 3.??? NEXT: exceptions? NEXT: polymorphic
More informationCSCI-GA Scripting Languages
CSCI-GA.3033.003 Scripting Languages 12/02/2013 OCaml 1 Acknowledgement The material on these slides is based on notes provided by Dexter Kozen. 2 About OCaml A functional programming language All computation
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationChapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes
Chapter 13: Reference Why reference Typing Evaluation Store Typings Safety Notes References Mutability So far, what we discussed does not include computational effects (also known as side effects). In
More informationSubstructural Typestates
Programming Languages meets Program Verification 2014 Substructural Typestates Filipe Militão (CMU & UNL) Jonathan Aldrich (CMU) Luís Caires (UNL) Motivation! File file = new File( out.txt );! file.write(
More informationOrnaments in ML. Thomas Williams, Didier Rémy. April 18, Inria - Gallium
Ornaments in ML Thomas Williams, Didier Rémy Inria - Gallium April 18, 2017 1 Motivation Two very similar functions let rec add m n = match m with Z n S m S (add m n) let rec append ml nl = match ml with
More informationTRELLYS and Beyond: Type Systems for Advanced Functional Programming
TRELLYS and Beyond: Type Systems for Advanced Functional Programming Aaron Stump Computer Science The University of Iowa Joint work with Tim Sheard, Vilhelm Sjöberg, and Stephanie Weirich. Supported by
More informationSimple proofs of simple programs in Why3
Simple proofs of simple programs in Why3 Jean-Jacques Lévy State Key Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences & Inria Abstract We want simple proofs for proving
More informationIntersections and Unions of Session Types
Intersections and Unions of Session Types Coşku Acay Frank Pfenning Carnegie Mellon University School of Computer Science ITRS 2016 C. Acay & F. Pfenning (CMU) Intersections and Unions of Session Types
More informationPhantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs
Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs Christian J Bell, Mohsen Lesani, Adam Chlipala, Stephan Boyer, Gregory Malecha, Peng Wang MIT CSAIL cj@csailmitedu
More informationProving liveness. Alexey Gotsman IMDEA Software Institute
Proving liveness Alexey Gotsman IMDEA Software Institute Safety properties Ensure bad things don t happen: - the program will not commit a memory safety fault - it will not release a lock it does not hold
More informationPart VI. Imperative Functional Programming
Part VI Imperative Functional Programming Chapter 14 Mutable Storage MinML is said to be a pure language because the execution model consists entirely of evaluating an expression for its value. ML is
More informationSequentialising a concurrent program using continuation-passing style
Sequentialising a concurrent program using continuation-passing style Juliusz Chroboczek Université de Paris-Diderot (Paris 7) jch@pps.jussieu.fr 28 January 2012 1/44 Outline Everything you ever wanted
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationSubtyping. Lecture 13 CS 565 3/27/06
Subtyping Lecture 13 CS 565 3/27/06 Polymorphism Different varieties of polymorphism: Parametric (ML) type variables are abstract, and used to encode the fact that the same term can be used in many different
More informationTypes for References, Exceptions and Continuations. Review of Subtyping. Γ e:τ τ <:σ Γ e:σ. Annoucements. How s the midterm going?
Types for References, Exceptions and Continuations Annoucements How s the midterm going? Meeting 21, CSCI 5535, Spring 2009 2 One-Slide Summary Review of Subtyping If τ is a subtype of σ then any expression
More information1 Introduction. 3 Syntax
CS 6110 S18 Lecture 19 Typed λ-calculus 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic semantics,
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationMeta-programming with Names and Necessity p.1
Meta-programming with Names and Necessity Aleksandar Nanevski Carnegie Mellon University ICFP, Pittsburgh, 05 October 2002 Meta-programming with Names and Necessity p.1 Meta-programming Manipulation of
More informationWhy3 where programs meet provers
Why3 where programs meet provers Jean-Christophe Filliâtre CNRS KeY Symposium 2017 Rastatt, Germany October 5, 2017 history started in 2001, as an intermediate language in the process of verifying C and
More informationINCREMENTAL SOFTWARE CONSTRUCTION WITH REFINEMENT DIAGRAMS
INCREMENTAL SOFTWARE CONSTRUCTION WITH REFINEMENT DIAGRAMS Ralph-Johan Back Abo Akademi University July 6, 2006 Home page: www.abo.fi/~backrj Research / Current research / Incremental Software Construction
More informationTyped Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts
Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts Toshiyuki Maeda and Akinori Yonezawa University of Tokyo Quiz [Environment] CPU: Intel Xeon X5570 (2.93GHz)
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationConcurrent library abstraction without information hiding
Universidad Politécnica de Madrid Escuela técnica superior de ingenieros informáticos Concurrent library abstraction without information hiding Artem Khyzha Advised by Manuel Carro and Alexey Gotsman Madrid
More informationAbstract Interpretation Using Laziness: Proving Conway s Lost Cosmological Theorem
Abstract Interpretation Using Laziness: Proving Conway s Lost Cosmological Theorem Kevin Watkins CMU CSD POP Seminar December 8, 2006 In partial fulfillment of the speaking skills requirement ? 2111 1231
More informationModal Logic: Implications for Design of a Language for Distributed Computation p.1/53
Modal Logic: Implications for Design of a Language for Distributed Computation Jonathan Moody (with Frank Pfenning) Department of Computer Science Carnegie Mellon University Modal Logic: Implications for
More informationIntroduction to OCaml
Fall 2018 Introduction to OCaml Yu Zhang Course web site: http://staff.ustc.edu.cn/~yuzhang/tpl References Learn X in Y Minutes Ocaml Real World OCaml Cornell CS 3110 Spring 2018 Data Structures and Functional
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationSCHOOL: a Small Chorded Object-Oriented Language
SCHOOL: a Small Chorded Object-Oriented Language S. Drossopoulou, A. Petrounias, A. Buckley, S. Eisenbach { s.drossopoulou, a.petrounias, a.buckley, s.eisenbach } @ imperial.ac.uk Department of Computing,
More informationPrecision and the Conjunction Rule in Concurrent Separation Logic
Precision and the Conjunction Rule in Concurrent Separation Logic Alexey Gotsman a Josh Berdine b Byron Cook b,c a IMDEA Software Institute b Microsoft Research c Queen Mary University of London Abstract
More informationEta-equivalence in Core Dependent Haskell
Eta-equivalence in Core Dependent Haskell You should machine-check your proofs Stephanie Weirich University of Pennsylvania Core Dependent Haskell A Specification for Dependent Types in Haskell Stephanie
More informationOn the Logical Foundations of Staged Computation
On the Logical Foundations of Staged Computation Frank Pfenning PEPM 00, Boston, MA January 22, 2000 1. Introduction 2. Judgments and Propositions 3. Intensional Types 4. Run-Time Code Generation 5. The
More informationCONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics
CONVENTIONAL EXECUTABLE SEMANTICS Grigore Rosu CS522 Programming Language Semantics Conventional Semantic Approaches A language designer should understand the existing design approaches, techniques and
More informationCSE-321 Programming Languages 2012 Midterm
Name: Hemos ID: CSE-321 Programming Languages 2012 Midterm Prob 1 Prob 2 Prob 3 Prob 4 Prob 5 Prob 6 Total Score Max 14 15 29 20 7 15 100 There are six problems on 24 pages in this exam. The maximum score
More informationResource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems
Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems Insup Lee 1, Oleg Sokolsky 1, Anna Philippou 2 1 RTG (Real-Time Systems Group) Department of
More informationModular Reasoning about Aliasing using Permissions
Modular Reasoning about Aliasing using Permissions John Boyland University of Wisconsin- Milwaukee FOAL 2015 Summary Permissions are non-duplicable tokens that give access to state. Permissions give effective
More informationCSE-321 Programming Languages 2014 Final
Name: Hemos ID: CSE-321 Programming Languages 2014 Final Problem 1 Problem 2 Problem 3 Problem 4 Problem 5 Problem 6 Total Score Max 15 12 14 14 30 15 100 There are six problems on 12 pages in this exam.
More informationPart III. Chapter 15: Subtyping
Part III Chapter 15: Subtyping Subsumption Subtype relation Properties of subtyping and typing Subtyping and other features Intersection and union types Subtyping Motivation With the usual typing rule
More informationCONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics
CONVENTIONAL EXECUTABLE SEMANTICS Grigore Rosu CS422 Programming Language Semantics Conventional Semantic Approaches A language designer should understand the existing design approaches, techniques and
More informationDatatype declarations
Datatype declarations datatype suit = HEARTS DIAMONDS CLUBS SPADES datatype a list = nil (* copy me NOT! *) op :: of a * a list datatype a heap = EHEAP HEAP of a * a heap * a heap type suit val HEARTS
More informationCategory Item Abstract Concrete
Exceptions To make things simple we ll first consider a simple failure mechanism. CMPSCI 630: Programming Languages Exceptions and Continuations Spring 2009 (with thanks to Robert Harper) Like exceptions,
More informationConcepts of programming languages
Concepts of programming languages Lecture 7 Wouter Swierstra 1 Last time Relating evaluation and types How to handle variable binding in embedded languages? 2 DSLs: approaches A stand-alone DSL typically
More informationTradeoffs. CSE 505: Programming Languages. Lecture 15 Subtyping. Where shall we add useful completeness? Where shall we add completeness?
Tradeoffs CSE 505: Programming Languages Lecture 15 Subtyping Zach Tatlock Autumn 2017 Desirable type system properties (desiderata): soundness - exclude all programs that get stuck completeness - include
More informationFunctional Programming Language Haskell
Functional Programming Language Haskell Mohammed Aslam CIS 24 Prof. Kopec Presentation: 03 Date: 05/05/2003 Haskell is a general purpose, purely functional programming language named after the logician
More informationLECTURE 16. Functional Programming
LECTURE 16 Functional Programming WHAT IS FUNCTIONAL PROGRAMMING? Functional programming defines the outputs of a program as a mathematical function of the inputs. Functional programming is a declarative
More informationATS: a language to make typeful programming real and fun
ATS: a language to make typeful programming real and fun p.1/32 ATS: a language to make typeful programming real and fun Hongwei Xi Boston University Work partly funded by NSF grant CCR-0229480 ATS: a
More informationPractical Affine Types and Typestate-Oriented Programming
Practical Affine Types and Typestate-Oriented Programming Philipp Haller KTH Royal Institute of Technology Stockholm, Sweden Dagstuhl Seminar 17051 Theory and Applications of Behavioural Types Schloss
More informationCS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011
CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic
More informationGADTs meet Subtyping
GADTs meet Subtyping Gabriel Scherer, Didier Rémy Gallium INRIA 2014 Gabriel Scherer, Didier Rémy (Gallium INRIA) GADTs meet Subtyping 2014 1 / 21 A reminder on GADTs GADTs are algebraic data types that
More informationLists. Michael P. Fourman. February 2, 2010
Lists Michael P. Fourman February 2, 2010 1 Introduction The list is a fundamental datatype in most functional languages. ML is no exception; list is a built-in ML type constructor. However, to introduce
More informationLogical Relations. Amal Ahmed. Northeastern University. OPLSS Lecture 5, June 26, 2015
Logical Relations Amal Ahmed Northeastern University OPLSS Lecture 5, June 26, 2015 Unary Logical Relations or: Logical Predicates --- can be used to prove: strong normalization type safety (high-level
More informationExtracting the Range of cps from Affine Typing
Extracting the Range of cps from Affine Typing Extended Abstract Josh Berdine, Peter W. O Hearn Queen Mary, University of London {berdine, ohearn}@dcs.qmul.ac.uk Hayo Thielecke The University of Birmingham
More informationFunctional Languages. Hwansoo Han
Functional Languages Hwansoo Han Historical Origins Imperative and functional models Alan Turing, Alonzo Church, Stephen Kleene, Emil Post, etc. ~1930s Different formalizations of the notion of an algorithm
More informationObject-Oriented Languages and Object-Oriented Design. Ghezzi&Jazayeri: OO Languages 1
Object-Oriented Languages and Object-Oriented Design Ghezzi&Jazayeri: OO Languages 1 What is an OO language? In Ada and Modula 2 one can define objects encapsulate a data structure and relevant operations
More informationAssistant for Language Theory. SASyLF: An Educational Proof. Corporation. Microsoft. Key Shin. Workshop on Mechanizing Metatheory
SASyLF: An Educational Proof Assistant for Language Theory Jonathan Aldrich Robert J. Simmons Key Shin School of Computer Science Carnegie Mellon University Microsoft Corporation Workshop on Mechanizing
More informationVerifying Program Invariants with Refinement Types
Verifying Program Invariants with Refinement Types Rowan Davies and Frank Pfenning Carnegie Mellon University Princeton and Yale Colloquium Talks February, 2001 Acknowledgments: Robert Harper 1 Overview
More informationProgramming language design and analysis
Programming language design and analysis Introduction Marius Minea 25 September 2017 Why this course? Programming languages are fundamental and one of the oldest CS fields Language design is an important
More informationFunctional Programming. Pure Functional Programming
Functional Programming Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends only on the values of its sub-expressions (if any).
More informationTyped Lambda Calculus and Exception Handling
Typed Lambda Calculus and Exception Handling Dan Zingaro zingard@mcmaster.ca McMaster University Typed Lambda Calculus and Exception Handling p. 1/2 Untyped Lambda Calculus Goal is to introduce typing
More informationSymmetry in Type Theory
Google May 29th, 2012 What is Symmetry? Definition Symmetry: Two or more things that initially look distinct, may actually be instances of a more general underlying principle. Why do we care? Simplicity.
More informationChapter 11 :: Functional Languages
Chapter 11 :: Functional Languages Programming Language Pragmatics Michael L. Scott Copyright 2016 Elsevier 1 Chapter11_Functional_Languages_4e - Tue November 21, 2017 Historical Origins The imperative
More informationConcurrency and Parallelism. CS152: Programming Languages. Lecture 19 Shared-Memory Parallelism and Concurrency. Concurrency vs. Parallelism.
CS152: Programming Languages Lecture 19 Shared-Memory Parallelism and Concurrency Dan Grossman Spring 2011 Concurrency and Parallelism PL support for concurrency/parallelism a huge topic Increasingly important
More informationCS152: Programming Languages. Lecture 19 Shared-Memory Parallelism and Concurrency. Dan Grossman Spring 2011
CS152: Programming Languages Lecture 19 Shared-Memory Parallelism and Concurrency Dan Grossman Spring 2011 Concurrency and Parallelism PL support for concurrency/parallelism a huge topic Increasingly important
More informationProgram Calculus Calculational Programming
Program Calculus Calculational Programming National Institute of Informatics June 21 / June 28 / July 5, 2010 Program Calculus Calculational Programming What we will learn? Discussing the mathematical
More informationFunctional programming in μscheme
Functional programming in μscheme COMP 105 Assignment Due Tuesday, February 14, 2017 at 11:59PM Contents Overview 1 Setup 2 Diagnostic tracing 2 Dire Warnings 2 Reading Comprehension (10 percent) 3 Programming
More information