engineeringafelty/dist/pcc2.pdf · 2 r e f e r e n ce s fl p a r t i: p r oo f-c a rr y i n g c od...
TRANSCRIPT
Foun
datio
nal
Proo
f-C
arry
ing
Cod
e
Am
y Fe
ltyU
nive
rsity
of
Otta
wa
June
200
2
2
Ref
eren
ces
�Pa
rt I
: Pro
of-C
arry
ing
Cod
e�www.cs.berkeley.edu/~necula/papers.html
�www-2.cs.cmu.edu/~fox/pcc.html
�G
eorg
e N
ecul
a&
Pet
er L
ee, P
roof
-Car
ryin
g C
ode,
Tec
hnic
al R
epor
t C
MU
-CS-
96-1
65, 1
996.
�G
eorg
eN
ecul
a, P
roof
-Car
ryin
g C
ode,
Sym
posi
um o
n Pr
inci
ples
of
Prog
ram
min
g L
angu
ages
(PO
PL
), 1
997.
�G
eorg
eN
ecul
a&
Pet
er L
ee, T
he D
esig
n an
d Im
plem
enta
tion
of a
C
ertif
ying
Com
pile
r, P
LD
I 19
98.
�Pa
rt I
I: F
ound
atio
nal P
roof
-Car
ryin
g C
ode
�www.cs.princeton.edu/sip/projects/pcc
�A
ndre
w A
ppel
& A
my
Felty
, A S
eman
tic M
odel
of
Typ
es a
nd M
achi
ne
Inst
ruct
ions
for
Pro
of-C
arry
ing
Cod
e, S
ympo
sium
on
Prin
cipl
es o
f Pr
ogra
mm
ing
Lan
guag
es (
POP
L),
200
0.�
And
rew
App
el, F
ound
atio
nal P
roof
-Car
ryin
g C
ode,
Sym
posi
um o
n L
ogic
in C
ompu
ter
Scie
nce
(LIC
S), 2
001.
3
Proo
f-C
arry
ing
Cod
e
&RG
�
3URG
XFHU
&RG
�
&RQVXPHU
load
r3,
4(r
2)ad
d r
2,r4
,r1
sto
re 1
, 0(r
7)st
ore
r1,
4(r
7)ad
d r
7,0,
r3ad
d r
7,8,
r7b
eq r
3, .-
20
1DWLY
�
&RG
�
C
6DIHW
�
3URR
�
R
�
safe
(C)
+LQWV
∃∃-i( ∀∀-i(...
→→-r (
...)
))
&KHFNHU
2.
([HFXWH
&HUWLI\LQJ
&RP
SLOHU
6RXUFH
3URJUDP
3URYHU
7UXVWHG
&RGH
%DVH
4
A C
lose
r L
ook
at th
e Pr
over
and
Che
cker
&RG
�
3URGXFHU
&RG
�
&RQVXPHU
1DWLY
�
&RGH
DQ
�
+LQWV
6DIHW
�
3URR
�
&KHFNHU
9&*HQ
6DIHW\
3UHGLFDWH 3URYHU
9&*HQ 6DIHW\
3UHGLFDWH
5
Safe
ty P
olic
y Su
mm
ary
�Fi
rst-
orde
r pr
edic
ate
logi
c w
ith n
atur
al n
umbe
rs a
nd in
duct
ion,
e.
g.,
�Sa
fety
pol
icy
rule
s, e
.g.,
�T
ypin
g ru
les,
e.g
.,
�In
terf
ace
rule
s
�T
he V
CG
exp
ress
ing
the
sem
antic
s of
mac
hine
inst
ruct
ions
, e.
g.,
(A)
BA
⇒B
⇒I
A
A ⇒
B⇒
EB
[y/x
]A∀
xA∀
I∀
xA[t
/x]A
∀E
v : m
intl
ist
read
able
(v)
v : m
intl
ist
m(v
)=1
M(v
+2)
:m
intl
ist
{[m
(rs+
c)/r
d]Q
∧re
adab
le(r
s+c)
}LD rd:=m(rs+c)
{Q}
∀v(
v>20
0 ⇒
read
able
(v))
6
Foun
datio
nal P
roof
-Car
ryin
g C
ode
�N
ew a
ppro
ach:
�Pr
ove
typi
ng r
ules
fro
m f
irst
pri
ncip
les.
•A
void
s co
mm
itmen
t to
a pa
rtic
ular
type
sys
tem
.
•R
emov
es r
ules
fro
m s
afet
y po
licy.
�Sp
ecif
y m
achi
ne s
eman
tics
dire
ctly
.•
Avo
ids
usin
g a
Ver
ific
atio
n C
ondi
tion
Gen
erat
or.
�A
dvan
tage
s:
�In
crea
sed
Secu
rity
: T
he T
rust
ed C
ode
Bas
e (T
CB
), i.
e.,
the
proo
f ch
ecke
r, is
sm
alle
r.
�In
crea
sed
Fle
xibi
lity:
Allo
ws
prog
ram
s co
mpi
led
from
di
ffer
ent s
ourc
e la
ngua
ges
to b
e se
nt to
the
sam
e co
de
cons
umer
.
7
Safe
ty P
olic
y, N
ew V
ersi
on
�A
hig
her-
orde
r lo
gic
(sim
ple
theo
ry o
f typ
es [C
hurc
h,
JSL’
40])
with
inte
gers
and
nat
ural
num
ber
indu
ctio
n
�Sa
fety
rul
es: r
emov
e th
ose
abou
t typ
es, o
ther
s un
chan
ged
�T
ypin
g ru
les
rem
oved
�In
terf
ace
rule
s
�R
epla
ce V
CG
en w
ith d
irec
t enc
odin
g of
mac
hine
sem
antic
s
8
Part
II:
Out
line
�N
ew b
asic
rul
es
�R
emov
ing
typi
ng r
ules
(an
d sa
fety
rul
es a
bout
type
s)
�E
ncod
ing
Typ
es
�H
andl
ing
allo
catio
n
�E
ncod
ing
Mac
hine
Ins
truc
tions
9
Hig
her-
Ord
er L
ogic
Hig
her-
orde
r lo
gic
with
nat
ural
num
bers
and
indu
ctio
n
Typ
es a
nd te
rms
of th
e si
mpl
y ty
ped
λ cal
culu
s�
Typ
es:
�Fo
rmul
as h
ave
type
o.
�R
egis
ter
num
bers
, reg
iste
r co
nten
ts, a
ddre
sses
and
mem
ory
cont
ents
all
have
type
num
.�
Als
o al
l oth
er ty
pes
τ 1→
τ 2su
ch th
at τ
1an
dτ2
are
type
s.�
Ter
ms:
�V
aria
bles
: x�
App
licat
ion:
(t 1
t 2)
�A
bstr
actio
n: λ
x:τ.
t
10
Func
tions
and
Pre
dica
tes
�Fu
nctio
ns:
�+
: n
um →
num
→nu
m
�Pr
edic
ates
:
�=
τ:
τ→
τ→
ofo
r ev
ery
type
τ�
<:
num
→nu
m →
ofo
r ev
ery
type
τ
�N
ote:
pre
dica
tes a
lway
s ha
ve ty
pes o
f the
form
τ 1→
…→
τ n→
o
��� ���
11
Form
ulas
of
Hig
her-
Ord
er L
ogic
�Im
plic
atio
n:
�⇒
: o
→o
→o
�W
ritte
n as
infi
x as
usu
al: A
⇒B
�U
nive
rsal
qua
ntif
icat
ion:
�∀
τ:
(τ→
o) →
ofo
r ev
ery
type
τ�
(∀τ
λx:τ
.A)
abbr
evia
ted
as ∀
x :τ
.Aor
∀x.
A
�N
ote:
qua
ntif
icat
ion
can
be o
ver
obje
cts
of a
ny ty
pe,
incl
udin
g fu
nctio
n ty
pes
and
pred
icat
es.
12
Infe
renc
e R
ules
(1)
�B
asic
rul
es (A)
BA
⇒B
⇒I
A
A ⇒
B⇒
EB
∀τ
xA
t:
τ[t
/x]A
∀E
(y:τ
)
[y/x
]A∀
τx.
A∀
I
(λx:
τ.t 1
)t2
=τ
[t1/
x]t 2
β
13
Infe
renc
e R
ules
(2)
�N
atur
al n
umbe
rs a
nd in
duct
ion
as b
efor
e
[0/x
]A [
n/x]
A ⇒
[(n+
1)/
x]A
∀x:
num
.A
(x+
y)+
z=x+
(y+
z) x+
y=y+
x
x+0=
x ¬
(0=
x+1
)
…
t 1 =
τt 2
[t1/
x]A
[t2/
x]A
t =τt
14
Def
initi
ons
for
Oth
er C
onne
ctiv
es
�W
e us
e th
e fo
llow
ing
defi
nitio
ns f
or th
e ot
her
conn
ectiv
es.
�T
he lo
gic
in o
ur s
afet
y po
licy
is s
mal
ler,
but
it n
ow a
llow
s de
fini
tions
.
�∧
≡λA
:o. λ
B:o
. ∀o
C.(
A ⇒
B ⇒
C)
⇒C
�∨
≡λA
:o. λ
B:o
. ∀o
C.(
A ⇒
B)
⇒(B
⇒C
) ⇒
C
�⊥
≡∀
oA
.A
�¬
≡λA
:o..(
A ⇒
⊥)�
∃≡
λF:τ
→o.
∀o
B.(
∀τ
x.((
F x
) ⇒
B)
⇒B
15
A L
emm
a
�L
emm
a
�Pr
oof
A ∧
B
∀o
C.(
A ⇒
B ⇒
C)
⇒C
(A ⇒
B ⇒
C)
⇒C
CB
B
⇒C
A
A ⇒
B ⇒
C
A
B
A ∧
B∧ I
16
Lem
mas
in P
roof
s
�Su
ch d
efin
ition
s an
d le
mm
as b
ecom
e pa
rt o
f ev
ery
proo
f th
at
uses
thes
e co
nnec
tives
.
�Pr
oofs
bec
ome
bigg
er, b
ut a
larg
e pa
rt o
f ea
ch p
roof
of
safe
ty
is n
ow a
fix
ed s
et o
f le
mm
as w
hich
can
be
chec
ked
once
and
fo
r al
l.
17
Oth
er I
nfer
ence
Rul
es
�D
eriv
ed R
ules
(L
emm
as)
�Pr
imiti
ve R
ule
(for
cla
ssic
al lo
gic)
A
B
A ∧
B∧ I
A∨
B∨ I
1A
A ∧
B
A∧ E
1
A ∧
B
B∧ E
2
A∨
B∨ I
2B
A∨
B
C
CC
∨E
(A)
(B)(A
)
⊥¬
A¬
IA
¬
A¬
E⊥
⊥ A⊥E
(¬A
)
⊥ A
18
Typ
ing
Rul
es
�B
uilt-
in r
ules
�L
ock
code
pro
duce
r in
to a
pre
dete
rmin
ed p
rogr
amm
ing
lang
uage
.
�A
lso
forc
e a
pred
eter
min
ed f
ield
-lay
out (
pred
eter
min
ed
com
pile
r).
�Fo
unda
tiona
l app
roac
h
�E
ach
type
is a
def
ined
pre
dica
te.
�E
ach
typi
ng r
ule
is a
lem
ma
prov
ed f
rom
the
defi
nitio
ns.
�Pr
oofs
of
lem
mas
can
be
inco
rpor
ated
into
pro
of s
ent b
y co
de p
rodu
cer.
�N
ot r
elyi
ng o
n m
etat
heor
ems,
e.g
., so
undn
ess
of ty
ping
ru
les.
19
Func
tions
in H
ighe
r-O
rder
Log
ic f
or P
CC
(1)
Reg
iste
r ba
nk:
r ::=
=
R |
up
d(r,
n,e,
r’)
�r
: nu
m →
num
�u
pd
: (n
um→
num
) →
num
→nu
m→
(num
→nu
m)
→o
�M
emor
y:
m::=
= M
|up
d(m
,e1,
e2,
m’)
�m
: nu
m→
num
20
Func
tions
in H
ighe
r-O
rder
Log
ic f
or P
CC
(2)
�E
xpre
ssio
ns: e
::==
x| n
| e 1
+ e
2| r
n| m
(e)
�e
: nu
m
�+
: n
um →
num
→nu
m
�r
: nu
m→
num
�m
: n
um→
num
21
Pred
icat
es in
Hig
her-
Ord
er L
ogic
�Pr
edic
ates
:
A ::
==
e :
m τ
| e1
= e
2| e
1<
e2
| rea
dabl
e(e)
|w
rita
ble(
e)
�re
adab
le :
num
→o
�w
rita
ble:
num
→o
�In
stea
d of
a th
e ty
ping
judg
men
t (e
: m τ)
as a
pre
dica
te o
f 3
argu
men
ts (
e, m
, and
τ),
type
s a
t the
obj
ect l
evel
(of
the
prog
ram
min
g la
ngua
ge)
are
now
pre
dica
tes
of 2
arg
umen
ts.
τ:
(num
→nu
m)
→nu
m →
o
We
now
wri
te (
τm
e)
inst
ead
of (
e : m
τ).
int:
(nu
m →
num
) →
num
→o
intl
ist:
(nu
m →
num
) →
num
→o
22
Inte
ger
Lis
ts R
evis
ited
(1)
�In
tege
r lis
ts:
0
nil
tag
v : m
intl
ist
m(v
) =
0 ∨
m(v
) =
1 v : m
intl
ist
m(v
)=1
m(v
+2)
:m
intl
ist
v : m
intl
ist
m(v
)=1
m(v
+1)
:m
int
1
co
ns
tag
37
in
t
intli
st
v
23
Inte
ger
Lis
ts R
evis
ited
(2)
0
nil
tag
v : m
intl
ist
m(v
)=1
read
able
(v+
2)
v : m
intl
ist
m(v
)=1
read
able
(v+
1)
1
co
ns
tag
37
in
t
intli
st
v
v : m
intl
ist
read
able
(v)
�Sa
fety
rul
es, e
.g.,
24
Typ
es a
s D
efin
ition
s
�In
tege
r lis
ts d
efin
ed a
s:
�Si
x ru
les
for
acce
ssin
g in
tege
r lis
ts n
ow d
eriv
able
as
lem
mas
? e.
g.,
�T
wo
prob
lem
s: (
1) r
ecur
sive
def
initi
ons,
and
(2)
allo
catio
n.
intl
ist≡
λm λ
v. (
(rea
dabl
e v)
∧[(
m v
) =
0 ∨
((m
v)
= 1
∧(r
eada
ble
(v+
1))
∧(i
ntm
(v+
1))
∧(r
eada
ble
(v+
2))
∧(i
ntli
stm
(v+
2))]
v : m
intl
ist
read
able
(v)
v : m
intl
ist
m(v
)=1
m(v
+2)
:m
intl
ist
25
Rec
ursi
ve D
atat
ypes
Det
ails
�L
ettp
≡(n
um →
num
) →
num
→o
�Su
btyp
es a
nd th
e re
cop
erat
or.
�T
he r
ecur
sive
type
s ar
e al
l typ
es (
rec
f)fo
r w
hich
the
leas
t fi
xed
poin
t of
the
argu
men
t fun
ctio
n f i
s (r
ec f)
(the
fo
ld/u
nfol
dpr
oper
ty).
subt
ype
: tp
→tp
→o
rec
: (t
p →
tp)
→(n
um →
num
) →
num
→o
subt
ype
≡λτ
1,τ 2
. (∀
m,v
. ((τ
1m
v)
⇒(τ
2m
v))
)
rec
≡λf
,m,v
.(∀
τ. (
(sub
type
(f τ
) τ)
⇒(τ
m v
)))
(rec
f m
v)
⇔(f
(re
c f)
m v
)
26
Ano
ther
Lem
ma
�T
his
prop
erty
hol
ds o
f al
l fun
ctio
ns f
that
are
mon
oton
e:
mon
oton
e :
(tp
→tp
) →
o
mon
oton
e ≡
λf. (
∀τ 1
,τ2.
((s
ubty
pe τ
1τ 2
) ⇒
(sub
type
(f τ
1) (
f τ2)
)))
�W
e pr
ove:
∀f:
(tp
→tp
).∀
m:(
num
→nu
m).
∀v:
num
(mon
oton
e f)
⇒((
rec
f m v
) ⇔
(f (
rec
f) m
v))
27
Rec
ursi
ve D
atat
ypes
Sum
mar
y
�Pr
ogra
mm
ing
lang
uage
s pr
ovid
e sy
ntax
for
use
r-de
fine
d re
curs
ive
data
type
s.
�T
o re
ason
abo
ut th
em, w
e ha
ve to
get
the
sem
antic
s ri
ght.
�H
ighe
r-or
der
logi
c pr
ovid
es u
s w
ith th
e to
ols
to e
xpre
ss th
ese
sem
antic
s.
�In
gen
eral
, ind
uctiv
e re
ason
ing
abou
t rec
ursi
vely
def
ined
ob
ject
s re
quir
es m
onot
one
oper
ator
s.
28
Rec
ursi
ve I
nteg
er L
ists
intl
ist≡
rec
(λτ.
λm.λ
v.
[(re
adab
le v
) ∧
((m
v)
= 0
∨((
m v
) =
1 ∧
(rea
dabl
e (v
+1)
) ∧
(int
m (
m (
v+1)
))∧
(rea
dabl
e (v
+2)
) ∧
(τm
(m
(v+
2)))
))])
mon
oton
e (λ
τ.λm
.λv.
[(re
adab
le v
) ∧
((m
v)
= 0
∨((
m v
) =
1 ∧
(rea
dabl
e (v
+1)
) ∧
(int
m (
m (
v+1)
)) ∧
(rea
dabl
e (v
+2)
) ∧
(τm
(m
(v+
2)))
))])
29
Allo
catio
n
�A
n al
locp
tris
use
d to
kee
p tr
ack
of th
e bo
unda
ry b
etw
een
allo
cate
d (a
bove
) an
d un
allo
cate
d (b
elow
) m
emor
y lo
catio
ns.
�If
allo
cate
d m
emor
y at
add
ress
vha
s fi
elds
with
the
righ
t pr
oper
ties,
then
vha
s ty
pe in
tlist
.
1
37
v
allo
cptr
m(v
)=1
v+
2 <
all
ocpt
r
m(v
+1)
:m
int
m(v
+2)
:m
intli
stv
: min
tlis
t
30
Allo
catio
n (c
ontin
ued)
�A
lloca
ting
new
dat
a do
esn’
t af
fect
the
type
s of
old
data
.
1
37
v
allo
cptr
45w
v : m
τw
rita
ble(
w)
v : m
[w →
u]τ
31
Inco
rpor
atin
g A
lloca
tion
�T
he ty
ping
judg
men
t is
para
met
eriz
ed b
y an
allo
cati
on
pred
icat
e : (
τA
m v
).
�T
he v
alid
pre
dica
te e
ncom
pass
es in
itia
lizat
ion
inva
rian
ce a
nd
allo
cati
on in
vari
ance
.
valid
≡λτ
. (∀
m,v
,A,w
,u,m
’.
(((τ
A m
v)
∧¬
(A w
) ∧
(upd
m w
u m
’))
⇒(τ
A m
’v)
) ∧
∀m
,v,A
,A’.
(((τ
A m
v)
∧(∀
z.(A
z ⇒
A’
z)))
⇒(τ
A’
m v
)))
32
Inte
ger
Lis
ts a
nd A
lloca
tion
�A
rev
ised
intl
ist:
�T
heor
em: (
vali
d in
tlis
t)
intl
ist≡
rec
(λτ.
λA
. λm
. λv.
[(re
adab
le v
) ∧
(A v
) ∧
((m
v)
= 0
∨((
m v
) =
1 ∧
(rea
dabl
e (v
+1)
) ∧
(A (
v+1)
) ∧
(int
A m
(m
(v+
1)))
∧(r
eada
ble
(v+
2))
∧(A
(v+
2))
∧(τ
A m
(m
(v+
2)))
))])
33
Der
ived
Inf
eren
ce R
ules
m(v
)=1
(
A (v
+2
)) (in
tA m
m(v
+1)
) (i
ntlist
A m
m(v
+2
))(i
ntlist
A m
v)
(int
list
A m
v)
¬(A
w)
(up
dm
w u
m’)
(int
list
A m
’ v)
(int
list
A m
v)
(int
list
A’
m v
)
A’
≡λv
.(st
art_
rea
d ≤
v <
(al
locp
tr +
n))
A ≡
λv.(
star
t_re
ad ≤
v <
alloc
ptr)
34
Allo
catio
n Su
mm
ary
�U
sing
our
old
def
initi
on o
f in
tlis
t , w
e w
ere
able
to p
rove
saf
ety
of p
rogr
ams
that
trav
erse
inte
ger
lists
, but
not
of
prog
ram
s th
at
allo
cate
them
. �
Solv
ing
this
pro
blem
req
uire
s pa
ram
eter
izin
gth
e ty
ping
ju
dgm
ent b
y an
allo
cati
on p
redi
cate
: (τ
A m
v).
�T
ype
defi
nitio
ns m
ust s
atis
fy c
erta
in p
rope
rtie
s ab
out
allo
catio
n: (
vali
d τ)
.�
We
can
now
pro
ve s
afet
y of
the
prog
ram
, tha
t for
exa
mpl
e,
reve
rses
a li
st b
y al
loca
ting
spac
e fo
r a
new
one
and
inse
rtin
g ap
prop
riat
e va
lues
.�
We
cann
ot h
andl
e th
e ve
rsio
n th
at r
ever
ses
poin
ters
(m
utab
le
data
str
uctu
res)
.�
Wha
t abo
ut o
ther
dat
a st
ruct
ures
?
35
A C
atal
og o
f T
ype
Con
stru
ctor
s
int ≡
λA,m
,v.(
true
)
cons
tty≡
λc.λ
A,m
,v.(
c =
v)
ref ≡
λτ.λ
A,m
,v.(
(rea
dabl
e v)
∧(A
v)
∧(τ
A m
(m
v))
)
offs
et ≡
λi,τ
.λA
,m,v
.(τ
A m
(v+
i))
102
610
4
6 : A
,m(c
onst
ty 6
)
104
: A,m
(ref
(co
nstt
y 6)
)
102
: A,m
(off
set 2
(re
f (co
nstt
y6)
))
36
A C
atal
og o
f T
ype
Con
stru
ctor
s (c
ontin
ued)
fiel
d ≡
i τλA
,m,v
.(of
fset
i (r
ef τ
) A
m v
)
inte
rsec
t ≡λτ
1,τ 2
.λA
,m,v
.((τ
1A
m v
) ∧
(τ2
A m
v))
unio
n ≡
λτ1,
τ 2.λ
A,m
,v.(
(τ1
A m
v)
∨(τ
2A
m v
))
reco
rd2
≡λτ
1,τ 2
.λA
,m,v
.(in
ters
ect (
fiel
d 0
τ 1)
(fie
ld 1
τ 2)
A m
v)
102
: A,m
(rec
ord2
int (
cons
tty
6))
102
60
37
Rec
ursi
ve T
ypes
in G
ener
al
�In
tege
r lis
ts a
s a
recu
rsiv
e da
taty
pe
�T
heor
em: (
vali
d in
tlis
t). P
rove
d us
ing
lem
mas
abo
ut v
alid
ity o
f ty
pes
and
type
con
stru
ctor
s.
�T
heor
em: (
mon
oton
e f)
whe
re
Prov
ed u
sing
lem
mas
abo
ut th
e m
onot
onic
ity o
f ty
pes
and
type
con
stru
ctor
s.
intl
ist≡
rec
(λτ.
(un
ion
(rec
ord1
(co
nstt
y0)
)
(rec
ord3
(co
nstt
y 1)
int τ
)))
f ≡re
c (λ
τ. (
unio
n (r
ecor
d1 (
cons
tty0)
)
(rec
ord3
(co
nstt
y 1)
int τ
))).
38
Rep
rese
ntin
g Fu
nctio
ns
code
ptr
≡λτ
.λA
,m,v
…
…if
regi
ster
1 h
as ty
pe τ ,
then
it is
safe
to ju
mp
to a
ddre
ss v
…
vL
D r
2:=
m(r
1)r 1
_ : τ
39
Sum
mar
y of
Enc
odin
g T
ypes
�W
e ha
ve h
andl
ed lo
ts o
f typ
es (e
.g.,
mos
t of
ML
).
�Pr
imiti
ve ty
pes
�U
ser-
defi
ned
data
type
s, in
clud
ing
recu
rsiv
e on
es
�Fu
nctio
n ty
pes
�W
e ha
ven’
t han
dled
:
�M
utab
le d
ata
stru
ctur
es
�A
llva
lid M
L re
curs
ive
data
type
s
40
Cov
aria
nt R
ecur
sive
Dat
atyp
es
�Fu
nctio
ns a
s ty
pe c
onst
ruct
ors
used
in r
ecur
sive
dat
atyp
es g
ive
us c
ovar
iant
(bu
t not
con
trav
aria
nt)
type
s.
�Fo
r ex
ampl
e:
intli
st=
nil
of (
) |
cons
of
int ×
intli
st
τ 1=
c1
of in
t | c
2of
int →
τ 1τ 2
= c
1of
int|
c2
of (
τ 2→
int)
→τ 2
τ 3=
c1
ofin
t| c
2of
((τ
3→
int)
×in
t) →
(τ3 ×
int)
�B
ut n
ot:
τ 4=
c1
ofin
t| c
2of
τ4
→in
t
41
Con
trav
aria
nt R
ecur
sive
Typ
es a
nd F
unct
ions
�A
ppro
ach
1: R
ecur
sion
-The
oret
ic S
eman
tics
as in
[Mitc
hell
&
Vis
wan
atha
n, IC
AL
P’96
].
�W
ill a
llow
us
to h
andl
e M
L, J
ava,
…
(We
need
to m
odel
mut
able
type
s als
o.)
�M
odel
s ty
pes
as p
artia
l equ
ival
ence
rela
tions
(per
s) a
nd
func
tions
as n
atur
al n
umbe
rs re
pres
entin
g T
urin
g m
achi
ne
indi
ces.
�A
ppro
ach
2: A
n In
dexe
d M
odel
of
Rec
ursi
ve T
ypes
for
Foun
datio
nal P
roof
-Car
ryin
g C
ode
[App
el&
McA
llest
er’0
0]
�A
muc
h si
mpl
er m
odel
�N
ot a
s ge
nera
l (ca
n’t
prov
e as
man
y pr
oper
ties o
f pr
ogra
ms,
but
per
haps
not
impo
rtan
t for
saf
ety
proo
fs)
42
Sim
plif
ying
the
Mac
hine
Sem
antic
s
�In
stea
d of
usi
ng a
VC
Gen
and
pro
ving
(on
pape
r) it
s so
undn
ess w
ith re
spec
t to
the
abst
ract
mac
hine
…
�W
e fo
rmal
ize
the
abst
ract
mac
hine
as
a def
initi
on in
hig
her-
orde
r lo
gic.
�W
e pr
ove
prop
ertie
s tha
t we
need
(suc
h as
Hoa
re-l
ike
rule
s) a
s le
mm
as.
�Se
e [M
icha
el &
App
el, C
AD
E’0
0] f
or th
is a
ppro
ach
appl
ied
to
real
mac
hine
inst
ruct
ion
sets
such
as
Spar
c.
43
Info
rmal
Des
crip
tion
of th
e A
bstr
act M
achi
ne
(r,m
) ev
alua
tes
to:
Inst
ruct
ion
r’
m’
ADD rd :=rs1+ rs2
up
d(r,
d, r
s1+
rs2
)m
ADDC rd= rs+ c
up
d(r,
d, r
s+
c)
m
LD rd= m(rs+ c)
up
d(r,
d, m
(rs+
c))
m
an
d re
ada
ble(
r s+
c)
ST m(rs2+ c) := rs1
r u
pd(
m, r
s2 +
c, r
s1)
an
d w
rita
ble(
r s2
+ c
)
RET
r m
INV p
r
m
44
Form
al D
escr
iptio
n of
the
Abs
trac
t Mac
hine
�In
stru
ctio
n de
codi
ngst
epR
el ≡
(num
→nu
m)
→(n
um →
num
) →
(num
→n
um)
→(n
um →
num
) →
ode
code
: n
um →
(num
→n
um)
→st
epR
el →
o
(dec
ode p
c M
op)
≡L
D r
d :=
r s+
c (∃
d,s
,c.(
(M p
c) =
20
00
+ d
* 1
00
+ s
* 1
0 +
c)
∧(o
p =
( λ
R,M
,R’,
M’.
M’
= M
∧(u
pd
R d
(M (
(R s)
+ c
)) R
’) ∧
(rea
da
ble
((R
s) +
c))
)))
∨ST
: …
∨A
DD
:
…∨
AD
DC
:
…∨
BG
T:
…
∨B
EQ
:
…
45
Step
s an
d M
ultis
teps
�T
he s
tep
rela
tion
: st
epR
el
(R,M
) (R
’,M
’) ≡
(∃o
p. ∃
R’’
.((d
eco
de (R
pc)
M o
p) ∧
(up
dR
pc
((R
pc)
+1
) R
’’)
∧(o
p R
’’M
R’
M’)
))
�T
he m
ultist
ep ru
le
(saf
e R
M)
∀R
1 ,M
1 . (In
v R
1M
1 ) ⇒
((sa
fe R
1M
1 ) ∨
(Inv
R M
) ∃R
2 ,M
2 . (((
R1 ,
M1 )
(R
2 ,M
2 ))∧
(Inv
R2
M2 )
))
46
Initi
al S
tate
and
Exi
t
�In
terf
ace
rule
s, e.
g.,
�E
xitin
g by
jum
ping
to a
des
igna
ted
addr
ess i
s sa
fe.
�T
he p
rogr
am c
ount
er is
initi
ally
set
to th
e fir
st in
stru
ctio
n of
the
cod
e.
�B
y pr
ovin
g th
ese
rule
s fro
m th
e m
achi
ne s
eman
tics,
we
esse
ntia
lly f
orm
aliz
eN
ecul
a’s
proo
f of
sou
ndne
ss of
VC
Gen
.
(R p
c) =
ret
urn_
addr
(saf
e R
M)
(R0
pc)
= s
tart
_cod
e
47
A P
roto
type
Im
plem
enta
tion
�L
ike
PCC
, Fou
ndat
iona
l PC
C h
as b
een
impl
emen
ted
in th
e T
wel
f sy
stem
whi
ch im
plem
ents
the
Log
ical
Fra
mew
ork
(LF
or λ
P).
�A
fir
st p
roto
type
was
impl
emen
ted
in λ
Prol
og
�W
e ha
ve s
een
a λ t
erm
not
atio
n fo
r λ H
OL
pro
ofs.
Her
e, w
e ha
ve a
sha
llow
em
bedd
ing
in L
F.
�W
e ex
peri
men
ted
with
man
y ve
rsio
ns o
f th
e lo
gic
(saf
ety
polic
y).
Usi
ng a
logi
cal f
ram
ewor
k al
low
ed u
s to
cha
nge
it ea
sily
.
48
Oth
er R
esul
ts
�M
icha
el &
App
el, C
AD
E 2
000
show
how
to e
ncod
e th
e se
man
tics
of r
eal
mac
hine
arc
hite
ctur
es s
uch
as S
parc
and
Mip
s.
�N
ot a
ll M
L d
atat
ypes
are
fit o
ur d
efin
ition
of
mon
oton
e. A
n in
dexe
d m
odel
of
rec
ursi
ve ty
pes
hand
les
a la
rger
cla
ss (
App
el&
McA
lles
ter
2000
).
�A
hmed
, App
el, &
Vir
ga, L
ICS
2002
sho
w h
ow to
add
mut
able
dat
atyp
es to
th
e in
dexe
d m
odel
.
�S
wad
i, A
ppel
, & V
irga
, 200
1 pr
esen
ts a
type
d m
achi
ne la
ngua
ge to
whi
ch
high
-lev
el la
ngua
ges
may
be
com
pile
d.
�N
ecul
a, C
AD
E 2
002
form
aliz
es a
pro
of o
f so
undn
ess
of ty
ping
rul
es.
�A
ppel
& F
elty
hav
e fu
rthe
r de
velo
ped
an e
nvir
onm
ent f
or im
plem
entin
g pr
oof-
carr
ying
cod
e sy
stem
s (p
aper
s to
app
ear
in T
PL
P a
nd J
FP).
�Sh
ao e
t. al
. hav
e de
velo
ped
a sy
ntac
tic a
ppro
ach
to P
CC
, LIC
S 20
02.
�B
erna
rd &
Lee
, Tem
pora
l Log
ic f
or P
roof
-Car
ryin
g C
ode,
CA
DE
200
2.
49
Oth
er O
ngoi
ng a
nd F
utur
e W
ork
�A
n E
nvir
onm
ent f
or P
roof
-Car
ryin
g C
ode
�A
utom
atin
g Pr
oofs
of
Safe
ty
�M
odel
ing
Sem
antic
s of
FL
INT
Typ
es
�H
andl
ing
Oth
er P
rogr
amm
ing
Lan
guag
es s
uch
as J
ava
�Pr
oof
Size
�M
utab
le F
ield
s
�C
ertif
ied
Com
pila
tion
�M
achi
ne I
nstr
uctio
n Se
ts s
uch
as S
parc
and
Pen
tium
�C
oncu
rren
cy
�R
untim
e C
ode
Gen
erat
ion
�G
arba
ge C
olle
ctio
n
50
Som
e O
ther
App
roac
hes
to S
oftw
are
Safe
ty
�Sa
ndbo
inse
rts
extr
a in
stru
ctio
ns to
bou
nd th
e ra
nge
of
acce
ssib
le a
ddre
sses
[Wah
be e
t.al.’
93]
�In
Jav
a by
teco
de v
erif
icat
ion ,
the
just
-in-
time
com
pile
r is
in
the
Tru
sted
Cod
e B
ase
�P
olic
y-D
irec
ted
Cod
e Sa
fety
[Eva
ns &
Tw
yman
’99]
pro
vide
s a
syst
em a
rchi
tect
ure
for
expr
essin
g sa
fety
pol
icie
s, w
hich
are
en
forc
ed b
y tr
ansf
orm
ing
prog
ram
s.�
Typ
ed A
ssem
bly
Lan
guag
e[M
orri
sett
et.a
l.] e
xten
ds
trad
ition
al u
ntyp
ed a
ssem
bly
lang
uage
s with
typi
ng
anno
tatio
ns, m
emor
y m
anag
emen
t prim
itive
s, an
d a
soun
d se
t of
typ
ing
rule
s.�
Cer
tifi
ed B
inar
ies
[Sha
o, S
aha,
Tri
fono
v, &
Pap
aspy
rou,
PO
PL’0
2] i
nteg
rate
an
entir
e pr
oof
syst
em (
the
calc
ulus
of
indu
ctiv
e co
nstr
uctio
ns)
into
a c
ompi
ler
inte
rmed
iate
lang
uage
.