Gallimaufry

GallimaufryAn Automated Framework for Proving Type-Safety

Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison

Madison, WI [email protected]

www.cs.wisc.edu/~mulhern/gallimaufry

CLASE 2005

mailto:[email protected]

CLASE 2005 Gallimaufry: An Automated Framework for Proving Type-Safety

2

Overview

• Introduction

• Gallimaufry Design: Core

• Gallimaufry Design: Extensions

• Conclusion and Future Work


3

Type-Safety

• Trapped error An error which causes computation to stop immediately

• Untrapped error An error which may allow computation to continue

• Type safe All type errors are trapped• Statically type safe Type errors detected

at compile time• Well typed Can be assigned a type


4

Type-Safety: Examples

• Statically type-safe:– ML

• Type-safe:– Java (partly static)– Lisp (entirely non-static)

• Not type-safe:– C (void*)


5

Static type-safety is good …

• For developers– Many errors are caught at compile time– Code is generally better designed– Less time is spent in debugging

• For users– Better security guarantees – Faster execution


6

…but has often been overlooked.

• Historical: Legacy of assembly language

• Cultural: Not highly valued by typical user

• Difficult to understand

• Languages are large and complex

• Proving type-safety for a real language is a daunting task


7

Language Enhancements

• Grow up rapidly around a popular language

• Address limitations in expressiveness

• Redress flaws in design

• Example: O’Caml objects, Java Generics

• Considerations of type-safety are still of secondary importance


8

Gallimaufry

1. A hash of various kinds of meats, a ragout.2. Any absurd medley; a hodgepodge.3. An automated framework for proving type-safety.

“So now they have made our English tongue a gallimaufry, or hodgepodge of all other speeches.”

- Edmund Spenser (1579)


9

Gallimaufry

• Core: A proof of type-safety for a base language (SOOL)

• Usage:– User specifies an enhancement to the base

language– Gallimaufry responds with a new proof of type-

safety or an error message

• Status: In development


10

Java Example: Array Subtyping1)String[] sa = new String[]{"zero"};2)Object[] oa = sa;3)oa[0] = new Integer(0);4)sa[0].charAt(0);

A <: B

A[] <: B[]Array<:


11

Overview

• Introduction





12

Gallimaufry Design: Translator


13

SOOL

Bruce’s Simple Object-oriented Language

class CellClass { x: Integer = 0; function get(): Integer is { return self.x } function set(newVal:Integer): Void is { self.x := nuVal } function bump() : Void is { self <= set(self <= get() + 1}}


14

Gallimaufry Design: Prover


15

Proving type-safety of SOOL

• We know: Target lambda calculus is type-safe

• We prove: Translation is correct• We infer: Any well-typed SOOL program

yields a well-typed lambda calculus program

• We conclude: SOOL is type-safe


16

Correctness of Translation

• Preservation of types– The type of the translated expression is the

translation of the type

• Preservation of subtypes – If a pair of types are in the subtype relation in

SOOL, then their translations are in the subtype relation


17

Preservation of Types


18

Preservation of Types


19

Preservation of Subtypes


20

Contributions:Translator• Confidence in prover

– Coq structures derived from working translator

• Feedback for implementer (myself)– Working translator unlikely to result from poor

understanding of translational semantics

“Beware of bugs in the above code; I have only proved it correct, not tried it.”

-Donald Knuth


21

Contributions: Prover

• Language Design and Type-Theory– Automated proof of correctness of Bruce’s

translational semantics

• Proof Techniques– Extraction from O’Caml to Coq– Feedback: How can O’Caml program be

written so that it is easily extracted into Coq structures?


22

Overview

• Introduction





23

Gallimaufry Design: Extensions

• User specifies language extension– Syntax– Translation and type rules– Additions to translator

• Gallimaufry– Regenerates Coq structures– Modifies tactics– Generates new proof of type-safety


24



25


Userupdatestranslator


26


Gallimaufry updates Coq structures, tactics, and proof


27

Contributions: Extension Part

• Automatic verification of type-safety for language extensions – Allow experimentation with language

extensions– Hide proof techniques


28

Contributions: Extension Part

• Techniques for automatic restructuring of proof tactics

• Techniques for user interaction:– Specifying new syntax and translation– Meaningful errors if extension is not type-safe

• Investigate range of language extensions supported by this technique


29

Overview

• Introduction





30

Contributions

• Automated proof of type-safety using a translational semantics

• Tool for interactive experimentation with language design

• Techniques for automated proof (re)generation


31

Future Work

Complete implementation of translator

Find and use Coq-friendly subset of O’Caml

Develop user-friendly interface for specification.


32

Future Work

Complete implementation of extractor

Make extraction to Coq structures direct.

Develop sound strategies for modifying tactics.


33

Future Work

Complete implementation of extractor

Develop useful error message extraction


34

Future Work

Study range of language extensions supported

Extend to other calculi

GallimaufryAn Automated Framework for Proving Type-Safety

Anne MulhernComputer Sciences DepartmentUniversity of Wisconsin-Madison

Madison, WI [email protected]

www.cs.wisc.edu/~mulhern/gallimaufry

CLASE 2005

mailto:[email protected]


36

Why Translational Semantics?

• Translation more intuitive concept– Compilation is translation

• User interaction more intuitive– Easier to add additional translation rules


37

Gallimaufry vs. Krakatoa


38

Array Example

• Model arrays as objects• [] just syntactic sugar for method• Given an array with elements of type T

– []:int Ref T– Translation of T[] has type

. X ( {[]: int Ref T})


39

Correctness of Translation

• Preservation of types– The type of the translated expression is the

translation of the type

• Preservation of subtypes – If a pair of types are in the subtype relation in

SOOL, then their translations are in the subtype relation


40

Array Example: Subtypes

Gallimaufry

Documents

typesafetystatic typesafety

typesafetyproving typesafety

complexproving typesafety

typesafetygallimaufry

examplesstatically typesafe

new proof of type

typesafetysoolbruces

typesafetyjava example