Refined typechecking with Stardust

Similar documents
Type assignment for intersections and unions in call-by-value languages

Refined Typechecking with Stardust

Combining Programming with Theorem Proving

Verifying Program Invariants with Refinement Types

TYPE INFERENCE. François Pottier. The Programming Languages Mentoring ICFP August 30, 2015

CS558 Programming Languages

CS558 Programming Languages

Lists. Michael P. Fourman. February 2, 2010

COSE212: Programming Languages. Lecture 3 Functional Programming in OCaml

ATS: a language to make typeful programming real and fun

Type Assignment for Intersections and Unions in Call-by-Value Languages

Advanced Type System Features Tom Schrijvers. Leuven Haskell User Group

IA014: Advanced Functional Programming

Type Checking and Type Inference

CS558 Programming Languages

The design of a programming language for provably correct programs: success and failure

Polymorphic lambda calculus Princ. of Progr. Languages (and Extended ) The University of Birmingham. c Uday Reddy

CSCI-GA Scripting Languages

GADTs. Wouter Swierstra and Alejandro Serrano. Advanced functional programming - Lecture 7. [Faculty of Science Information and Computing Sciences]

Programming Languages and Compilers (CS 421)

Tridirectional Typechecking

Semantic Subtyping with an SMT Solver

GADTs. Alejandro Serrano. AFP Summer School. [Faculty of Science Information and Computing Sciences]

l e t print_name r = p r i n t _ e n d l i n e ( Name : ^ r. name)

GADTs. Wouter Swierstra. Advanced functional programming - Lecture 7. Faculty of Science Information and Computing Sciences

Lecture 19: Signatures, Structures, and Type Abstraction

Practical Refinement-Type Checking

Types and Programming Languages. Lecture 5. Extensions of simple types

Dependent types and program equivalence. Stephanie Weirich, University of Pennsylvania with Limin Jia, Jianzhou Zhao, and Vilhelm Sjöberg

` e : T. Gradual Typing. ` e X. Ronald Garcia University of British Columbia

Programming with C Library Functions Safely

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

A Unified System of Type Refinements

ML Type Inference and Unification. Arlen Cox

n n Try tutorial on front page to get started! n spring13/ n Stack Overflow!

Lecture Notes on Induction and Recursion

This section is primarily based on Principles of Type Refinement, Noam Zeilberger,

A Practical Optional Type System for Clojure. Ambrose Bonnaire-Sergeant

Logic - CM0845 Introduction to Haskell

Inductive Data Types

Questions? Static Semantics. Static Semantics. Static Semantics. Next week on Wednesday (5 th of October) no

Generic polymorphism on steroids

Simple Unification-based Type Inference for GADTs

Booleans (aka Truth Values) Programming Languages and Compilers (CS 421) Booleans and Short-Circuit Evaluation. Tuples as Values.

The Typed Racket Guide

Lecture 21: Red-Black Trees

Tracing Ambiguity in GADT Type Inference

Typed Racket: Racket with Static Types

# true;; - : bool = true. # false;; - : bool = false 9/10/ // = {s (5, "hi", 3.2), c 4, a 1, b 5} 9/10/2017 4

Mini-ML. CS 502 Lecture 2 8/28/08

The SMT-LIB 2 Standard: Overview and Proposed New Theories

Lecture #13: Type Inference and Unification. Typing In the Language ML. Type Inference. Doing Type Inference

Shared Subtypes. Subtyping Recursive Parameterized Algebraic Data Types

Untangling Typechecking of Intersections and Unions

List Functions, and Higher-Order Functions

Provably Correct Software

Ornaments in ML. Thomas Williams, Didier Rémy. April 18, Inria - Gallium

Overloading, Type Classes, and Algebraic Datatypes

15 212: Principles of Programming. Some Notes on Continuations

Advanced features of Functional Programming (Haskell)

Type Systems. Parametric Polymorphism. 1. Recall Let-Polymorphism. 1. Recall Let-Polymorphism. Lecture 9 Dec. 15th, 2004 Sebastian Maneth

Flang typechecker Due: February 27, 2015

Exercise 1 ( = 24 points)

Pierce Ch. 3, 8, 11, 15. Type Systems

Advances in Programming Languages

Standard ML. Data types. ML Datatypes.1

Higher-Order Logic. Specification and Verification with Higher-Order Logic

Lecture #23: Conversion and Type Inference

Functional programming Primer I

Overview. Elements of Programming Languages. Advanced constructs. Motivating inner class example

GADTs. GADTs in Haskell

Conversion vs. Subtyping. Lecture #23: Conversion and Type Inference. Integer Conversions. Conversions: Implicit vs. Explicit. Object x = "Hello";

Goal. CS152: Programming Languages. Lecture 15 Parametric Polymorphism. What the Library Likes. What The Client Likes. Start simpler.

Types and Type Inference

Type structure is a syntactic discipline for maintaining levels of abstraction John Reynolds, Types, Abstraction and Parametric Polymorphism

Exercise 1 (2+2+2 points)

Dependent types and program equivalence. Stephanie Weirich, University of Pennsylvania with Limin Jia, Jianzhou Zhao, and Vilhelm Sjöberg

Structural polymorphism in Generic Haskell

Functional Paradigm II

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

COS 320. Compiling Techniques

Mathematics for Computer Scientists 2 (G52MC2)

Many Holes in Hindley-Milner

CIS 194: Homework 3. Due Wednesday, February 11, Interpreters. Meet SImPL

Programming in Omega Part 1. Tim Sheard Portland State University

Second-Order Type Systems

Where is ML type inference headed?

Programming Languages Lecture 15: Recursive Types & Subtyping

CS 360: Programming Languages Lecture 12: More Haskell

Types and Type Inference

GADTs gone mild. Code at Gabriel RADANNE 23 Mars 2017

Programming Languages Lecture 14: Sum, Product, Recursive Types

Objects as Session-Typed Processes

Part III Chapter 15: Subtyping

Type families and data kinds

A quick introduction to SML

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Lists. Adrian Groza. Department of Computer Science Technical University of Cluj-Napoca

CSC324 Principles of Programming Languages

Transcription:

Refined typechecking with Stardust Joshua Dunfield Carnegie Mellon University (current affiliation: McGill University) PLPV 2007 Freiburg, Germany 5 October 2007 1

Conventional Static Typing ML, Haskell,... Types express properties: append : list list list Types can be inferred; type annotations are documentation (except module interfaces) Well typed programs don t go wrong 2

Conventional Static Typing ML, Haskell,... Types express properties: append : list list list Types can be inferred; type annotations are documentation (except module interfaces) Well typed programs don t go wrong We extend conventional static typing to verify more precise invariants: append : -all a, b:nat- list(a) }{{} length a list(b) list(a+b) 2

Background Part of a larger project... Type assignment system* Tridirectional type system* Let-normal transform + type system Implementation: Stardust this paper * joint work with Frank Pfenning 3

Outline Z Introduction Integer Domain Red-Black Trees Dimension Domain Implementation Related Work Summary and Future Work 4

Setting Subset of core Standard ML: First class functions Primitive types int, real, string,... Algebraic datatypes datatype list = Nil datatype tree = Empty Cons of int list Tree of key tree tree syntactic sugar patterns, e.g. Black(e, Red lt, Red (rt as (_,_,Red _))) 5

Datasort Refinements a.k.a. refinement types [Freeman+Pf. 91, Davies 97, 05] Refine an algebraic datatype by a datasort Example: Lists of integers Nil : list Cons : int list list Nil : evenl Cons : (int oddl evenl) & (int evenl oddl) & (int list list) list oddl evenl Intersections v : A & B: v has type A and type B 6 6

Intersection Types Set Intersection oddl evenl (oddl evenl) & (evenl oddl) evenl oddl If tail : (oddl evenl) & (evenl oddl) od : oddl, ev : evenl then tail(od) : evenl and tail(ev) : oddl 7

Index Refinements Dependent types with restrictions [Xi & Pfenning 99] Refine an algebraic datatype by an index Indices drawn from a decidable constraint domain Example: Lists indexed by their length Nil : list(0) Cons :-all a:nat- int list(a) list(a+1) append : -all a, b:nat- list(a) list(b) list(a+b) filter : (int bool) -all a:nat- list(a) (-exists b:nat- [b a] list(b)) 8

Index Refinements + Union Types Untagged unions v : A B: v has type A or type B Choice function: choose : -all a, b:nat- list(a) list(b) (list(a) list(b)) fun choose (xs, ys) = case random_bit() of true xs false ys Assume xs:list(a), ys:list(b) Show body checks against list(a) list(b): Show xs : list(a) list(b) show xs : list(a) Show ys : list(a) list(b) show ys : list(a) or, show ys : list(b) 9

Red-black trees datatype tree = Empty Red of key tree tree Black of key tree tree Invariants: (1) Empty nodes are considered black (2) The children of a red node must be black. (3) For every node t, there exists bh(t) s.t. the number of black nodes on all paths from t to its leaves is bh(t). 10

Use datasort for invariants (1), (2) tree Empty : tree Red : key tree tree tree Black : key tree tree tree 11

Use datasort for invariants (1), (2) tree rbt Empty : tree Red : key tree tree tree Black : key tree tree tree Add rbt to represent valid red-black trees 11

Use datasort for invariants (1), (2) tree rbt red black Empty : tree Red : key tree tree tree Black : key tree tree tree Add rbt to represent valid red-black trees Add red, black to distinguish colors 11

Use datasort for invariants (1), (2) tree rbt red black Empty : black Red : key tree tree tree Black : key tree tree tree Add rbt to represent valid red-black trees Add red, black to distinguish colors Invariant (1): Empty nodes are considered black 11

Use datasort for invariants (1), (2) tree rbt red black Empty : black Red : key tree tree tree & key black black red Black : key tree tree tree & key rbt rbt black Add rbt to represent valid red-black trees Add red, black to distinguish colors Invariant (1): Empty nodes are considered black Invariant (2): The children of a red node must be black 11

Use index for invariant (3) tree rbt red black Empty : black Red : key tree tree tree & key black black red Black : key tree tree tree & key rbt rbt black Invariant (3): For every node t, there exists bh(t) s.t. the number of black nodes on all paths from t to its leaves is bh(t) 12

Use index for invariant (3) tree rbt red black Empty : black Red : key tree tree tree & key black black red Black : key tree tree tree & key rbt rbt black Invariant (3): For every node t, there exists bh(t) s.t. the number of black nodes on all paths from t to its leaves is bh(t) Index by the black height bh(t), a natural number 12

Use index for invariant (3) tree rbt red black Empty : black(0) Red : -all h:natkey tree(h) tree(h) tree(h) & key black(h) black(h) red(h) Black : -all h:natkey tree(h) tree(h) tree(h + 1) & key rbt(h) rbt(h) black(h + 1) Invariant (3): For every node t, there exists bh(t) s.t. the number of black nodes on all paths from t to its leaves is bh(t) Index by the black height bh(t), a natural number 12

What the user writes (*[ datasort rbt < tree; red < rbt;black < rbt datacon Empty : black(0) datacon Red : -all h:natkey tree(h) tree(h) tree(h) & key black(h) black(h) red(h) datacon Black : -all h:natkey tree(h) tree(h) tree(h + 1) & key rbt(h) rbt(h) black(h + 1) ]*) 13

Index Domains Integers int linear inequalities Booleans bool Dimensions dim 14

Introduction Z Integer Domain Red-Black Trees Dimension Domain Implementation Related Work Summary and Future Work 15

Integers: Red-Black Trees Insertion (with slightly more complex datasorts) Deletion: SML/NJ library Found two bugs, each violating the color invariant Buggy module looks correct to clients After bugs fixed, typechecks 16

Zipper z [ ] TOP 2 a 5 [ ] b LEFTB(RIGHTR(a, 2, TOP), 5, b) zip(z, t) t 2 a 5 t b t Red(2, a, Black(5, t, b)) 17

Datasort Refinement zipper toporbr blackzipper BRzipper topzipper blackbrzipper 18

Datasort Refinement zipper toporbr blackzipper BRzipper topzipper blackbrzipper 2 a 5 [ ] b 18

Datasort Refinement zipper toporbr blackzipper BRzipper topzipper blackbrzipper 2 a 5 [ ] b : blackzipper 18

Datasort Refinement zipper toporbr blackzipper BRzipper topzipper blackbrzipper 2 a 5 [ ] b : blackzipper 5 : BRzipper [ ] b t 5 b : black 18

Index Refinement: Height When Zipped z : zipper(h, hz) when zip(z, t) yields rbt(hz), where t : rbt(h) 2 E 2 E zip( 5, [ ] E ) = 5 E E E : zipper(0, 1) : rbt(0) : rbt(1) 2 E zip( 5 [ ] E 3 E, E 2 E 3 E ) = 5 E : rbt(1) rbt : E 19

Zipper Constructor Types datacon TOP : -all h:nat- topzipper(h, h)... datacon LEFTR : -all h, hz:natint black(h) blackzipper(h, hz) zipper(h, hz) & int black(h) blackbrzipper(h, hz) BRzipper(h, hz) z n t LEFTR(n, t, z) where t : black(h) 20

Introduction Integer Domain Red-Black Trees Z Dimension Domain Implementation Related Work Summary and Future Work 21

Dimension Index Sort dim Unit confusion a significant factor in the loss of the Mars Climate Orbiter Units M, S, KG Multiplication and powers: M KG M ^ 2 S ^ a Multiplicative identity 1 real indexed by dim 22

Dimensions Example (*[ val power : -all d:dim- -all n:intint(n) real(d) real(d ^ n) ]*) fun power n x = if n = 0 then 1.0 else if n < 0 then 1.0 / power (~n) x else x * power (n-1) x 23

Dimensions: Invaluable Refinement Unlike e.g. red-black trees, our dimension refinements are not tied to values: For every d, each type real(d) is inhabited by exactly the same set of floating-point values: 3.1 : real(1) 3.1 M : real(m) 3.1 S : real(s) 3.1 M M : real(m ^ 2) All these expressions yield identical values at runtime! Also not based on values: qualified types [Foster], phantom types [Cheney/Hinze, Fluet/Pucella,... ], state refinement [Mandelbaum et al.,... ] 24

Dimensions: Related Work 70s and 80s Kennedy 96: Polymorphism, type inference Allen 04: abelian classes in Java 25

Introduction Integer Domain Red-Black Trees Dimension Domain Z Implementation Related Work Summary and Future Work 26

Constraint Solving Delegate most work to external tools: ICS or CVC Lite Accumulate constraints incrementally Solve for existential index variables Reduce dimension constraints to integer constraints 27

(Almost) Ideal Constraint Solver Interface 1. Persistent solver contexts Ω encapsulating index-level assumptions 2. ASSERT(Ω, P) returning Valid if Ω = P Invalid if Ω, P = Contingent(Ω ) if Ω = P and Ω, P =, yielding a new context Ω = Ω, P 3. VALID(Ω, P) returning Valid if Ω = P Invalid otherwise. 4. DECLARE(Ω, a, sort) 28

ICS Developed at SRI (de Moura, Rueß, Shankar,... ) Integers (almost), rationals, bitvectors (not really), functional arrays,... Provides the desired interface Fast Future: Closed source Deprecated, replaced by Yices For our purposes: ICS a great improvement on its successor 29

ICS Developed at SRI (de Moura, Rueß, Shankar,... ) Integers (almost), rationals, bitvectors (not really), functional arrays,... Provides the desired interface Fast except when it hangs Future: Closed source Deprecated, replaced by Yices For our purposes: ICS a great improvement on its successor 29

CVC Lite Barrett, Berezin, [Dill], [Tinelli],... Integers, rationals, bitvectors, functional arrays,... Does not provide persistent contexts Slower than ICS, but more stable Future: Deprecated, replaced by CVC 3 Open source 30

A nontraditional application? Most satisfiability-modulo-theories systems aimed at large problems Stardust needs to solve many small problems {Correctness, variety of theories} speed 31

Typechecking Time Wall-clock time in seconds CVC Lite standalone Input program ICS library redblack-full δ(i) & 1.9 8.2 9.2 redblack-full-bug1 δ(i) & 1.6 6.8 8.1 redblack δ(i) & < 1 < 1 < 1 rbdelete δ(i) & * 37.7 31.6 bits δ(i) & * 9.5 4.0 bits-un δ(i) & 33.5 298.5 241.4 others δ(i) < 1 < 1 < 1 32

Memoization Xi s DML: index refinements No & : typecheck in single pass, don t need to memoize Davies SML-CIDRE: datasort refinements, &: backtracking No index refinements no Σ: memoization easy Stardust: datasort + index, & memoization ineffective might work with sophisticated irrelevance 33

Introduction Integer Domain Red-Black Trees Dimension Domain Implementation Z Related Work Summary and Future Work 34

Related Work [Davies 97/ 05, Davies & Pf. 00]: Bidirectional system with δ, & [Xi & Pfenning 99]: Bidirectional, with i, -all-, -exists- [Coppo et al. 81, Amadio 98]: & can characterize normal forms; hence full inference undecidable [Reynolds 96]: FORSYTHE with & (and type annotations) [Pierce 91]: Language with &,, syntactic markers Dependent types ((less) restricted): Cayenne, Epigram, [Chen & Xi 05], [Licata & Harper 05],... 35

Introduction Integer Domain Red-Black Trees Dimension Domain Implementation Related Work Z Summary and Future Work 36

Summary Type system Combination of datasort and index refinements, marker-free intersections, unions, quantifiers Data structure refinements, e.g. bitstrings, red-black trees Invaluable refinements, e.g. dimensions Implementation Delegated constraint solving Speed leaves... room for improvement 37

Future Work Parametric polymorphism Full SML (modules!) Index domains: bit vectors, inductive families, finite sets, regular languages,... Memoization and parallelization Refinement-based compilation Call-by-name (and -need) Proof (derivation) Counterexample generation Suggestion tools 38

http://type-refinements.info 39

Extra slides 40

Datasort Refinements tail : (evenl oddl) & (oddl evenl) & (list list) fun tail xs = case xs of Nil raise Error Cons(h, t) t First conjunct (evenl oddl): Assume xs : evenl Show raise Error : oddl and t : oddl Second conjunct (oddl evenl): Assume xs : oddl Show t : evenl 41

Parametric Polymorphism: Declarative As property type Γ e Πa:γ. A Γ i : γ ΠE Γ e [i/a]a Γ e α. B Γ A [mono]type Γ e [A/α]B 42

Greed and Failure Generate existential variable The greedy method [Cardelli 93] choose : α. α α α fun choose x y = case random_bit() of true x false y x : A, y : B choose x y 43

Greed and Failure Generate existential variable The greedy method [Cardelli 93] choose : α. α α α fun choose x y = case random_bit() of true x false y x : A, y : B choose x y A B and B A: y A 43

Greed and Failure Generate existential variable The greedy method [Cardelli 93] choose : α. α α α fun choose x y = case random_bit() of true x false y x : A, y : B choose x y A B and B A: A B and B A: y A y A 43

Greed and Failure Generate existential variable The greedy method [Cardelli 93] choose : α. α α α fun choose x y = case random_bit() of true x false y x : A, y : B choose x y A B and B A: A B and B A: A B and B A: y A y A y A 43

Unionism The greedy method seems to fail... 44

Unionism The greedy method seems to fail... If only we could get an upper bound of A and B! 44

Unionism The greedy method seems to fail... If only we could get an upper bound of A and B! A B Instantiating α = A B: x : A, y : B choose x y 44

Typechecker, Phone Home Let s not break the subformula property 45

Typechecker, Phone Home Let s not break the subformula property Instead, let the user write the union: (*[ choose : α. β. α β (α β) ]*) 45

Typechecker, Phone Home Let s not break the subformula property Instead, let the user write the union: (*[ choose : α. β. α β (α β) ]*) x : A, y : B choose x y α = A β = B 45

Typechecker, Phone Home Let s not break the subformula property Instead, let the user write the union: (*[ choose : α. β. α β (α β) ]*) x : A, y : B choose x y A B α = A β = B 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback