CSE-321 Programming Languages

Dependent Types

POSTECH

June 5, 2006

박성우

2

Untyped Lanugage

/* takes two integers and returns their sum */

fun add x y = x + y

let s = add 1 2

let t = add "Oops" "Darn"runtime error

3

Typed Lanugage

/* takes two integers and returns their sum */

val add : int -> int -> intfun add x y = x + y

let s = add 1 2

let t = add "Oops" "Darn"compile error

4

Types as Documentations

/* takes two integers and returns their sum */

val add : int -> int -> intfun add x y = x + y

• Types are formal documentations that the compiler recognizes.

• Types express properties of code.– "add takes two integers and returns an integer."

5

Types = Properties of Code?

/* takes two integers and returns their sum */

val add : ???fun add x y = x + y

• Then why not express this property instead:– "add takes two integers and returns their sum."

• What is the type for this property?– ???

6

Lesson• Rich type systems are always better!

– We can express more properties of code.– We can catch more error at compile time.– We can better maintain code.– ...

• Rich type systems are expensive, however.– Eg. System F

• rich type system• but type reconstruction is undecidable.

7

Dependent Types• A good compromise between

– expressivity• can express many useful properties of code.

– cost• decidable

• Theoretic foundation– dependent types = first-order logic

8

Outline• Introduction V• Ex. Array boundary checking• Ex. List length• Ex. Dimension analysis

A couple of slides from Tim Sweeney's invited talk at

POPL 2006

10

Dynamic Failure in Mainstream Languages

Solved problems: Random memory overwrites Memory leaks

Solveable: Accessing arrays out-of-bounds Dereferencing null pointers Integer overflow Accessing uninitialized variables

50% of the bugs in Unreal can be traced to these problems!

11

Analysis of the Unreal code

Usage of integer variables in Unreal:– 90% of integer variables in Unreal exist to index into arrays

• 80% could be dependently-typed explicitly,guaranteeing safe array access without casting.

• 10% would require casts upon array access.

– The other 10% are used for:• Computing summary statistics

• Encoding bit flags

• Various forms of low-level hackery

“For” loops in Unreal:– 40% are functional comprehensions

– 50% are functional folds

12

Array Types• Without dependent types

[| 1; 2; 3 |] : int array

• With dependent types

[| 1; 2; 3 |] : int array [3]

• Dependent array type– 'a array [n]

• array of type 'a with length n

13

Array Boundary Checking• Without dependent types

sub : 'a array * int -> 'aupdate : 'a array * int * 'a -> unit

• With dependent types

sub : 8n:nat. 8i:nat. {i < n}. 'a array [n] * int [i] -> 'a

update : 8n:nat. 8i:nat. {i < n}. 'a array [n] * int [i] * 'a -> unit

14

Outline• Introduction V• Ex. Array boundary checking V• Ex. List length• Ex. Dimension analysis

15

List Types• Without dependent types

[ 1; 2; 3 ] : int list

• With dependent types

[ 1; 2; 3 ] : int list [3]

• Dependent list type– 'a list [n]

• list of type 'a with length n

16

List Constructors• Nil

[] : 'a list [0]

• Cons :: : 8n:nat

'a -> 'a list [n] -> 'a list [n+1]

• Appendappend : 8m:nat. 8n:nat

'a list [m] -> 'a list [n] -> 'a list [m+n]

17

Filtering• Filter a list

filter : ('a -> bool) -> 'a list -> 'a listfilter f nil = nil| f (h :: t) = if f h then f :: filter t

else filter t

• With dependent types

filter : 8m:nat. 9n:nat. {n <= m}. ('a -> bool) -> 'a list [m] -> 'a list

[n]

18

Outline• Introduction V• Ex. Array boundary checking V• Ex. List length V• Ex. Dimension analysis

A slide from the first lecture, March 6

20

Mars Climate Orbiter Failure• Mars Climate Orbiter launched in 1998• Destroyed due to a navigation error• Cause?

– One module used English units (feet).– The other module expected metric units (meter).

• Lessons– Both modules were fine in isolation.– Programmers did not even know the existence of the bug

until the spacecraft was destroyed.– Stupidity:

• NASA scientists? No!• programming languages they used? Yes!

21

Dependent Types for Dimension • Annotate every float value with its dimension

– without dependent types1.0 : float

– with dependent types1.0 meter : float [L]

• Assign dependent types to arithmetic operators+. : 8D. float [D] * float [D] -> float [D]*. : 8D1. 8D2.

float [D1] * float [D2] -> float [D1 * D2]

22

No Mars Climate Orbiter Failure!

1.0 meter + 1.0 feet : float [L]

1.0 meter + 1.0 sec : X

1.0 meter * 1.0 sec : float [LT]

mult_list : 8D. 8n:nat.float [D] list [n] -> float [Dn]