raising the level of abstraction in systems programming ...awkward api, often based on string...
TRANSCRIPT
![Page 1: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/1.jpg)
1
Raising the Level of Abstraction in Systems Programming with Fiat and Extensible, Correct-by-Construction Compilers
Adam ChlipalaMIT CSAILENTROPY workshopJanuary 2018
Joint work with: Thomas Braibant, Santiago Cuellar, Benjamin Delaware, Samuel Duchovni, Jason Gross, Gregory Malecha, Clément Pit—Claudel, Sorawit Suriyakarn, Peng Wang, and Katherine Ye
![Page 2: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/2.jpg)
2
How We're Doing
Software bug causes launch failure
Software bug leaks secret information
Hardware bug causes massive recall
Software bug causes loss of life
The time has come to settle for nothing less than high-assurance computer systems!
![Page 3: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/3.jpg)
3
It is time for you to take your medicine. Oh, sure. Sure,
sure, sure.Better get back to work....
Us Developers
![Page 4: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/4.jpg)
4
Analog computers
Stored-program computers
Assembly language
Structured programming
Data abstraction
Formal methods
![Page 5: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/5.jpg)
5
Formal specif ications and proofs deserve to be the new glue holding together complex systems and helping us understand them and their parts.
The design of systems should change to take advantage of formal methods to raise the level of abstraction.
![Page 6: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/6.jpg)
6
The Big Idea
IDEA
algorithm algorithm data structure data structure
IDEA
functional behavior optimizations
Only need to read this part of the code, to understand non-performance aspects!Language implementation should enforce that optimizations can't break correctness.
Language implementation should enforce that algorithms can't break data structure invariants.
![Page 7: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/7.jpg)
7
That Looks FamiliarIDEA
program optimizing compiler
IDEA
queries database engine
What do these pictures have in common? Mere mortals fear to tread here:
![Page 8: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/8.jpg)
8
State of the Art: Building an Internet Server
Core Protocol Logic
Cryptography“The Cloud”
Packet Format Parsing
Persistent State
Parser Generator
sourceSQL Database
Library Reuse
rockstarcoders
![Page 9: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/9.jpg)
9
Complaints About: Talking to a Standard Server
Persistent State
SQL Database
Awkward API, often based on string manipulation,allowing code-injectionvulnerabilities
Yet another language, only understandable after reading a pile of documentation
Database is a black box, maintained by an elite cadre, often not doing quite what you need
And by the way,sometimes there are serious bugs.
![Page 10: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/10.jpg)
10
Complaints About: Using a Domain-Specif ic Language
Packet Format Parsing
Parser Generatorsource
Core Protocol Logic
Yet another language, only understandable after reading a pile of documentation
Compiler is a black box, maintained by an elite cadre, often not doing quite what you need
Awkward integration, with build processes instead of clean intra-language abstractions
And by the way,sometimes there are serious bugs.
![Page 11: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/11.jpg)
11
What About Embedded DSLs?Complaint Addressed?Yet another language
Partly yes, but still need to learn the semantics of the DSL, even if syntax may be standardized
Compiler is a black box
No!
Awkward integration
Yes!
Sometimes serious bugs
Partly yes, as we usually avoid type-safety bugs but not deeper semantic bugs
![Page 12: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/12.jpg)
12
Complaints About: Using Libraries Coded by Wizards
Cryptography
Library Reuse
rockstarcoders
Algorithms Prime #s
HW Arches
Labor-intensive adaptation, with each combination taking at least several days for an expert.
And by the way,sometimes there are serious bugs.
![Page 13: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/13.jpg)
13
Rethinking the Programming Framework
Common Logic & Programming Framework
Domain-Specif ic Notation
Domain-Specif ic Notation
Domain-Specif ic Notation Domain-Specif ic
Notationproof
proof
proof
proofSemantics
SemanticsSemantics
Semantics
Correctness bugs?Ruled out by pervasive use of a proof assistant.
![Page 14: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/14.jpg)
14
Functionality
Program Surface Syntax
core program
Desugared bymacro #1 Desugared by
macro #2
Macros desugar into the common language of higher-order logic.Often the most concise code isn't
obviously executable!
Performance
optimized, executable program
Compiled byoptimizationscript #1
Compiled byoptimizationscript #2
Optimization scripts use Coq's tactic language and are correct
by construction.
Fiat
![Page 15: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/15.jpg)
15
Fiat's Layers
1. Coq: logic and tactic language2. Computations: nondeterministic functional programs3. Abstract data types: encapsulated state4. Domains: libraries for particular spec styles5. Applications
![Page 16: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/16.jpg)
16
Definition SchedulerSchema := Query Structure Schema [ relation "Processes" has schema <"pid" :: W, "state" :: State, "cpu" :: W> where (UniqueAttribute ``"pid") ] enforcing [].
Definition SchedulerSpec : ADT _ := QueryADTRep SchedulerSchema { (* … *)
Def Method1 "Enumerate" (r : rep) (state : State) : rep * list W := For (p in r!"Processes") Where (p!"state" = state) Return (p!"pid"),
(* … *) }.
Assembly language
proof
Automatic, proof-generating derivation of assembly code from relational specif ications
Foundational proofs: connect operational semantics of assembly to original spec, trusting little beyond standard Coq proof checker
![Page 17: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/17.jpg)
17
Demo:Query Structures
& the Bookstore example
![Page 18: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/18.jpg)
18
Core Fiat: Computations as Sets of Results
Initial Spec(nondeterministic, in logic)
Functional
≥ ≥
Imperative
verif ied compilation to assembly
One allowable behavior, within a space of choices
Ref ined Spec(some decisions made)
≥
Ref inement (subset) relation, with Coq proofs
Awkward API?Unif ied notion of computationswith common logic
![Page 19: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/19.jpg)
19
Computations naturally form a monad.
ret v ≝ {v}x � c
1; c
2(x)≝ {v ∈ c
2(x) | x ∈ c
1}
Example:x � {n ∈ ℕ | ∃m. n = 2 × m};y � ℕ;ret (x + 2 × y)
In other words, choose an even number,by some very indirect means!
![Page 20: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/20.jpg)
20
Ref inement of computations is just subset.
ret v ≝ {v}x � c
1; c
2(x)≝ {v ∈ c
2(x) | x ∈ c
1}
Example:x � {n ∈ ℕ | ∃m. n = 2 × m};y � ℕ;ret (x + 2 × y)
In other words,resolving nondeterminismis the same asmoving to a smaller set.
⊆ {n ∈ ℕ | even(n)}
ret 42⊇
![Page 21: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/21.jpg)
21
Ref inement is compatible with rewriting.
a � ca;
b � cb;
...y � c
y;
z � cz;
ret e
Proved lemma:∀v. f(v) ⊇ g(v)
For v = e1,
specializes toc
y ⊇ d
y.
Rewrite
a � ca;
b � cb;
...y � d
y;
z � cz;
ret e
![Page 22: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/22.jpg)
22
Demo:f ind an element not in a list
![Page 23: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/23.jpg)
23
Fiat Principle #2: Abstract Data Typeswith computations for methods
ADT {rep = Tmethod m
1(x : D
1) : R
1 = c
1
method m2(x : D
2) : R
2 = c
2
…method m
n(x : D
n) : R
n = c
n
}
Type of private state
Method has computationas body, allowingnondeterminism.
![Page 24: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/24.jpg)
24
Macros as DocumentationDef Method1 "NumOrders" (r : rep) (author : string) : rep * nat := count <- Count (For (o in r!sORDERS) (b in r!sBOOKS) Where (author = b!sAUTHOR) Where (o!sISBN = b!sISBN) Return ()); ret (r, count)
Return a ≡return [a]
Where P b ≡{l | P → l ∈ b ∧ ¬P → l = []}
Count b ≡results ← b;return length(results)
Yet another language?Readable macros desugaring into a common language
![Page 25: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/25.jpg)
25
Ingredients for Optimization Scripts
filter (λ(x, _) → f(x)) (join l1 l2)= join (filter f l1) l2
filter (λ(k, v) → k = k0) (BST.enumerate t)
= BST.lookup t k0
Compiler a black box?Easy to add new optimization rules w/ proofs
![Page 26: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/26.jpg)
26
Example Derivation: SQL-style database
table island : {Name : string, Size : int, Temp : int}
sizeOf(db, name) =for i ∈ db.islandwhere i.Name = namereturn i.Size
![Page 27: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/27.jpg)
27
sizeOf(db, name) =for i ∈ db.islandwhere i.Name = namereturn i.Size
STEP 1: representation change
dictionary island : string � {Size : int, Temp : int}Abstraction relation:
db ~ fmap ≝ ∀r. r ∈ db � fmap(r.Name) = {Size = r.Size, Temp = r.Temp}
sizeOf(fmap, name) =db � {db | db ~ fmap}for i ∈ db.islandwhere i.Name = namereturn i.Size
state x : τx
m(x, args) = estate y : τ
ym(y, args) =
x � {x | x ~ y}e
RULE: representation change
![Page 28: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/28.jpg)
28
sizeOf(fmap, name) =db � {db | db ~ fmap}for i ∈ db.islandwhere i.Name = namereturn i.Size
STEP 2: for+fmap
dictionary island : string � {Size : int, Temp : int}
sizeOf(fmap, name) =for k, v ∈ fmaplet i = {Name = k, Size = v.Size, Temp = v.Temp}where i.Name = namereturn i.Size
x � {x | ∀r. r ∈ x � y(k(r)) = v(r)}for r ∈ xq(r)
RULE: use dictionary
for k, v ∈ ylet r = kv-1(k, v)q(r)
![Page 29: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/29.jpg)
29
STEP 3: simplify
dictionary island : string � {Size : int, Temp : int}
sizeOf(fmap, name) =for k, v ∈ fmapwhere k = namereturn v.Size
sizeOf(fmap, name) =for k, v ∈ fmaplet i = {Name = k, Size = v.Size, Temp = v.Temp}where i.Name = namereturn i.Size
![Page 30: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/30.jpg)
30
sizeOf(fmap, name) =for k, v ∈ fmapwhere k = namereturn v.Size
STEP 4: for-where-key-eq
dictionary island : string � {Size : int, Temp : int}
sizeOf(fmap, name) =for v ∈ fmap.lookup(name)return v.Size
for k, v ∈ fmapwhere k = xq(k, v)
RULE: equality test to lookup
for v ∈ fmap.lookup(x)q(x, v)
![Page 31: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/31.jpg)
31
Example Derivation: binary decoder
T = {A : int, B : string, C : list int}
encode(t : T) = encodeInt(t.A)++ encodeInt(len(t.C))++ encodeString(t.B)++ encodeList(encodeInt, t.C)
decode(s : bitstring) ={t | s = encode(t)}
![Page 32: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/32.jpg)
32
Example Derivation: binary decoder
T = {A : int, B : string, C : list int}
encode(t : T) = encodeInt(t.A)++ encodeInt(len(t.C))++ encodeString(t.B)++ encodeList(encodeInt, t.C)
decode(s : bitstring) ={t | s = eI(t.A) ++ eI(len(t.C)) ++ eS(t.B) ++ eL(eI, t.C)}
![Page 33: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/33.jpg)
33
Example Derivation: binary decoder
decode(s : bitstring) ={t | s = eI(t.A) ++ eI(len(t.C)) ++ eS(t.B) ++ eL(eI, t.C)}
![Page 34: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/34.jpg)
34
{t | s = eI(t.A) ++ eI(len(t.C)) ++ eS(t.B) ++ eL(eI, t.C)}
STEP 1: decode A
decode(s : bitstring) =let a, s = dI(s){t | t.A = a ∧ s = eI(len(t.C)) ++ eS(t.B) ++ eL(eI, t.C)}
{x | P(x) ∧ s = eI(f(x)) ++ s'}
RULE: decode integerlet v, s = dI(s){x | f(x) = v ∧ P(x) ∧ s = s'}
![Page 35: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/35.jpg)
35
STEP 2: decode length
decode(s : bitstring) =let a, s = dI(s)let n, s = dI(s){t | len(t.C) = n ∧ t.A = a ∧ s = eS(t.B) ++ eL(eI, t.C)}
let a, s = dI(s){t | t.A = a ∧ s = eI(len(t.C)) ++ eS(t.B) ++ eL(eI, t.C)}
![Page 36: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/36.jpg)
36
let a, s = dI(s)let n, s = dI(s){t | len(t.C) = n ∧ t.A = a ∧ s = eS(t.B) ++ eL(eI, t.C)}
STEP 3: decode B
decode(s : bitstring) =let a, s = dI(s)let n, s = dI(s)let b, s = dS(s){t | t.B = b ∧ len(t.C) = n ∧ t.A = a ∧ s = eL(eI, t.C)}
{x | P(x) ∧ s = eS(f(x)) ++ s'}
RULE: decode stringlet v, s = dS(s){x | f(x) = v ∧ P(x) ∧ s = s'}
![Page 37: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/37.jpg)
37
let a, s = dI(s)let n, s = dI(s)let b, s = dS(s){t | t.B = b ∧ len(t.C) = n ∧ t.A = a ∧ s = eL(eI, t.C)}
STEP 4: decode C
decode(s : bitstring) =let a, s = dI(s)let n, s = dI(s)let b, s = dS(s)let c, s = dL(dI, s, n){t | t.C = c ∧ t.B = b ∧ len(t.C) = n ∧ t.A = a ∧ s = []}
{x | P(x) ∧ s = eL(eI, f(x)) ++ s'}
RULE: decode listlet v, s = dL(eI, s, n){x | f(x) = v ∧ P(x) ∧ s = s'}
when ∀x. P(x) � len(f(x)) = n
![Page 38: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/38.jpg)
38
let a, s = dI(s)let n, s = dI(s)let b, s = dS(s)let c, s = dL(dI, s, n){t | t.C = c ∧ t.B = b ∧ len(t.C) = n ∧ t.A = a ∧ s = []}
STEP 5: construct t
decode(s : bitstring) =let a, s = dI(s)let n, s = dI(s)let b, s = dS(s)let c, s = dL(dI, s, n)if s = []:
{A = a, B = b, C = c}else:
fail
{x | P(x) ∧ s = []}
RULE: use witness if s = []:
velse:
fail
when P(v)
![Page 39: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/39.jpg)
39
A Relational Abstract Data TypeADT FiniteSet(α) {
private set : ℘(α);
constructor init() {set := {};
}
method add(x : α) {set := {x} ∪ set;
}
method member(x : α) {return {b : bool | b = true ↔ x ∈ set};
}
method toList() {return {l : list(α) | NoDup(l) ∧ ∀x. x ∈ set ↔ In(x, l)};
}}
A nondeterministic abstract data type formalizes expectations of a data structure, without committing to
optimization details.
![Page 40: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/40.jpg)
40
ADT Delegation
ADT MyBookCollection(FS : FiniteSet(nat × string)) {private books : FS;
constructor init() {books := new FS();
}
method newBook(isbn : nat, title : string) {books.add((isbn, title));
}
method allTitles() {return map (fn (_, title) => title) (books.toList());
}}
Delegation allows one ADT to assume an implementation of another.
![Page 41: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/41.jpg)
41
Translating to Lower-Level Imperative CodeADT MyBookCollection(FS : FiniteSet(nat × string)) {
private books : FS;
method newBook(isbn : nat, title : string) {tup := new Tuple();tup.set(0, isbn);tup.set(1, title);books.add(tup); }
method allTitles() {ls := books.toList();out := new List();while (!ls.isEmpty()) {
x := ls.pop();title := tup.get(x, 1);out.push(title);
}delete ls;out.reverse();return out; } }
books.add((isbn, title));
map (fn (_, title) => title)(books.toList())
Tactic-based derivation produces imperative code from functional, using
extensible hint databases.
![Page 42: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/42.jpg)
42
Verif ied Compilation with ADTs
method allTitles() {ls := books.toList();out := new List();while (!ls.isEmpty()) {
x := ls.pop();title := tup.get(x, 1);out.push(title);
}delete ls;out.reverse();return out;
}
Two key parameters to operational semantics of imperative language:
1. Domain of abstract models for foreign data types2. Hoare-style precondition and postcondition for every foreign
function, using abstract predicates for foreign data types
Verif ied compiler justif ies linking with arbitrary implementations of those types and operations in other Bedrock languages.
{List(ls, hd::tl)}x := ls.pop();
{Tuple(x, hd) * List(ls, tl)}
![Page 43: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/43.jpg)
43
Ongoing Related Work
Relational Spec
Functional Code
Imperative Code
Assembly Code
FiatCryptography
Generates low-level ECC codeautomatically, with proof.Adopted by Google's BoringSSLlibrary, thus transitively for TLS inChrome and Android.
Processor Impl.
Implementations of RISC-Vopen instruction set, proving againstoff icial formal semantics
![Page 44: Raising the Level of Abstraction in Systems Programming ...Awkward API, often based on string manipulation, allowing code-injection vulnerabilities Yet another language, only understandable](https://reader033.vdocuments.net/reader033/viewer/2022052012/6028aff98b3a2013a72dc4ce/html5/thumbnails/44.jpg)
44
http://plv.csail.mit.edu/fiat/Work supported by:
I2O: HACMS and BRASS programs National Science Foundation
Separate functionality and performance
Functionality as macros desugaring to a common logic
Performance via proved optimization rules