1 / 40

Gallimaufry

Gallimaufry. An Automated Framework for Proving Type-Safety. Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern/gallimaufry. CLASE 2005. Overview. Introduction Gallimaufry Design: Core

caden
Download Presentation

Gallimaufry

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gallimaufry An Automated Framework for Proving Type-Safety Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern/gallimaufry CLASE 2005

  2. Overview • Introduction • Gallimaufry Design: Core • Gallimaufry Design: Extensions • Conclusion and Future Work Gallimaufry: An Automated Framework for Proving Type-Safety

  3. Type-Safety • Trapped error  An error which causes computation to stop immediately • Untrapped error  An error which may allow computation to continue • Type safe  All type errors are trapped • Statically type safe  Type errors detected at compile time • Well typed  Can be assigned a type Gallimaufry: An Automated Framework for Proving Type-Safety

  4. Type-Safety: Examples • Statically type-safe: • ML • Type-safe: • Java (partly static) • Lisp (entirely non-static) • Not type-safe: • C (void*) Gallimaufry: An Automated Framework for Proving Type-Safety

  5. Static type-safety is good … • For developers • Many errors are caught at compile time • Code is generally better designed • Less time is spent in debugging • For users • Better security guarantees • Faster execution Gallimaufry: An Automated Framework for Proving Type-Safety

  6. …but has often been overlooked. • Historical: Legacy of assembly language • Cultural: Not highly valued by typical user • Difficult to understand • Languages are large and complex • Proving type-safety for a real language is a daunting task Gallimaufry: An Automated Framework for Proving Type-Safety

  7. Language Enhancements • Grow up rapidly around a popular language • Address limitations in expressiveness • Redress flaws in design • Example: O’Caml objects, Java Generics • Considerations of type-safety are still of secondary importance Gallimaufry: An Automated Framework for Proving Type-Safety

  8. Gallimaufry • A hash of various kinds of meats, a ragout. • Any absurd medley; a hodgepodge. • An automated framework for proving type-safety. “So now they have made our English tongue a gallimaufry, or hodgepodge of all other speeches.” - Edmund Spenser (1579) Gallimaufry: An Automated Framework for Proving Type-Safety

  9. Gallimaufry • Core: A proof of type-safety for a base language (SOOL) • Usage: • User specifies an enhancement to the base language • Gallimaufry responds with a new proof of type-safety or an error message • Status: In development Gallimaufry: An Automated Framework for Proving Type-Safety

  10. Java Example: Array Subtyping String[] sa = new String[]{"zero"}; Object[] oa = sa; oa[0] = new Integer(0); sa[0].charAt(0); Array<: Gallimaufry: An Automated Framework for Proving Type-Safety

  11. Overview • Introduction • Gallimaufry Design: Core • Gallimaufry Design: Extensions • Conclusion and Future Work Gallimaufry: An Automated Framework for Proving Type-Safety

  12. Gallimaufry Design: Translator Gallimaufry: An Automated Framework for Proving Type-Safety

  13. SOOL Bruce’s Simple Object-oriented Language class CellClass { x: Integer = 0; function get(): Integer is { return self.x } function set(newVal:Integer): Void is { self.x := nuVal } function bump() : Void is { self <= set(self <= get() + 1} } Gallimaufry: An Automated Framework for Proving Type-Safety

  14. Gallimaufry Design: Prover Gallimaufry: An Automated Framework for Proving Type-Safety

  15. Proving type-safety of SOOL • We know: Target lambda calculus is type-safe • We prove: Translation is correct • We infer: Any well-typed SOOL program yields a well-typed lambda calculus program • We conclude: SOOL is type-safe Gallimaufry: An Automated Framework for Proving Type-Safety

  16. Correctness of Translation • Preservation of types • The type of the translated expression is the translation of the type • Preservation of subtypes • If a pair of types are in the subtype relation in SOOL, then their translations are in the subtype relation Gallimaufry: An Automated Framework for Proving Type-Safety

  17. Preservation of Types Gallimaufry: An Automated Framework for Proving Type-Safety

  18. Preservation of Types Gallimaufry: An Automated Framework for Proving Type-Safety

  19. Preservation of Subtypes Gallimaufry: An Automated Framework for Proving Type-Safety

  20. Contributions:Translator • Confidence in prover • Coq structures derived from working translator • Feedback for implementer (myself) • Working translator unlikely to result from poor understanding of translational semantics “Beware of bugs in the above code; I have only proved it correct, not tried it.” -Donald Knuth Gallimaufry: An Automated Framework for Proving Type-Safety

  21. Contributions: Prover • Language Design and Type-Theory • Automated proof of correctness of Bruce’s translational semantics • Proof Techniques • Extraction from O’Caml to Coq • Feedback: How can O’Caml program be written so that it is easily extracted into Coq structures? Gallimaufry: An Automated Framework for Proving Type-Safety

  22. Overview • Introduction • Gallimaufry Design: Core • Gallimaufry Design: Extensions • Conclusion and Future Work Gallimaufry: An Automated Framework for Proving Type-Safety

  23. Gallimaufry Design: Extensions • User specifies language extension • Syntax • Translation and type rules • Additions to translator • Gallimaufry • Regenerates Coq structures • Modifies tactics • Generates new proof of type-safety Gallimaufry: An Automated Framework for Proving Type-Safety

  24. Gallimaufry Design: Extensions Gallimaufry: An Automated Framework for Proving Type-Safety

  25. Gallimaufry Design: Extensions User updates translator Gallimaufry: An Automated Framework for Proving Type-Safety

  26. Gallimaufry Design: Extensions Gallimaufry updates Coq structures, tactics, and proof Gallimaufry: An Automated Framework for Proving Type-Safety

  27. Contributions: Extension Part • Automatic verification of type-safety for language extensions • Allow experimentation with language extensions • Hide proof techniques Gallimaufry: An Automated Framework for Proving Type-Safety

  28. Contributions: Extension Part • Techniques for automatic restructuring of proof tactics • Techniques for user interaction: • Specifying new syntax and translation • Meaningful errors if extension is not type-safe • Investigate range of language extensions supported by this technique Gallimaufry: An Automated Framework for Proving Type-Safety

  29. Overview • Introduction • Gallimaufry Design: Core • Gallimaufry Design: Extensions • Conclusion and Future Work Gallimaufry: An Automated Framework for Proving Type-Safety

  30. Contributions • Automated proof of type-safety using a translational semantics • Tool for interactive experimentation with language design • Techniques for automated proof (re)generation Gallimaufry: An Automated Framework for Proving Type-Safety

  31. Complete implementation of translator Future Work Find and use Coq-friendly subset of O’Caml Develop user-friendly interface for specification. Gallimaufry: An Automated Framework for Proving Type-Safety

  32. Complete implementation of extractor Future Work Make extraction to Coq structures direct. Develop sound strategies for modifying tactics. Gallimaufry: An Automated Framework for Proving Type-Safety

  33. Complete implementation of extractor Develop useful error message extraction Future Work Gallimaufry: An Automated Framework for Proving Type-Safety

  34. Study range of language extensions supported Extend to other calculi Future Work Gallimaufry: An Automated Framework for Proving Type-Safety

  35. Gallimaufry An Automated Framework for Proving Type-Safety Anne Mulhern Computer Sciences Department University of Wisconsin-Madison Madison, WI USA mulhern@cs.wisc.edu www.cs.wisc.edu/~mulhern/gallimaufry CLASE 2005

  36. Why Translational Semantics? • Translation more intuitive concept • Compilation is translation • User interaction more intuitive • Easier to add additional translation rules Gallimaufry: An Automated Framework for Proving Type-Safety

  37. Gallimaufry vs. Krakatoa Gallimaufry: An Automated Framework for Proving Type-Safety

  38. Array Example • Model arrays as objects • [] just syntactic sugar for method • Given an array with elements of type T • []:int  Ref T • Translation of T[] has type . X (  {[]: int  Ref T}) Gallimaufry: An Automated Framework for Proving Type-Safety

  39. Correctness of Translation • Preservation of types • The type of the translated expression is the translation of the type • Preservation of subtypes • If a pair of types are in the subtype relation in SOOL, then their translations are in the subtype relation Gallimaufry: An Automated Framework for Proving Type-Safety

  40. Array Example: Subtypes Gallimaufry: An Automated Framework for Proving Type-Safety

More Related