Correct-by-Construction Concurrency: Using Dependent Types to Verify Implementations of Effectful Resource Usage Protocols

In the modern, multi-threaded, multi-core programming environment, correctly managing system resources, including locks and shared variables, can be especially difficult and errorprone. A simple mistake, such as forgetting to release a lock, can have major consequences on the correct operation of a program, by, for example, inducing deadlock, often at a time and location that is isolated from the original error. In this paper, we propose a new type-based approach to resource management, based on the use of dependent types to construct a Domain-Specific Embedded Language (DSEL) whose typing rules directly enforce the formal program properties that we require. In this way, we ensure strong static guarantees of correctness-by-construction, without requiring the development of a new special-purpose type system or the associated special-purpose soundness proofs. We also reduce the need for “over-serialisation”, the overly-conservative use of locks that often occurs in manually constructed software, where formal guarantees cannot be exploited. We illustrate our approach by implementing a DSEL for concurrent programming and demonstrate its applicability with reference to an example based on simple bank account transactions.

[1]  Mark Moir,et al.  Efficient nonblocking software transactional memory , 2007, PPOPP.

[2]  P. J. Landin,et al.  The next 700 programming languages , 1966, CACM.

[3]  Peter Hancock,et al.  Interactive Programs in Dependent Type Theory , 2000, CSL.

[4]  Atsushi Igarashi,et al.  Type-Based Analysis of Communication for Concurrent Programming Languages , 1997, SAS.

[5]  Edwin Brady,et al.  Practical implementation of a dependently typed functional programming language , 2005 .

[6]  Naoki Kobayashi,et al.  Type-Based Analysis of Deadlock for a Concurrent Calculus with Interrupts , 2007, ESOP.

[7]  Chung-chieh Shan,et al.  Position : Lightweight static resources ? Sexy types for embedded and systems programming , 2007 .

[8]  Simon L. Peyton Jones,et al.  Composable memory transactions , 2005, CACM.

[9]  David Walker,et al.  Policy enforcement via program monitoring , 2006 .

[10]  Martin Hofmann,et al.  Static prediction of heap space usage for first-order functional programs , 2003, POPL '03.

[11]  David R. Butenhof Programming with POSIX threads , 1993 .

[12]  Paul Hudak,et al.  Functional reactive animation , 1997, ICFP '97.

[13]  Wei-Ngan Chin,et al.  A type system for resource protocol verification and its correctness proof , 2004, PEPM '04.

[14]  Paul Hudak,et al.  Building domain-specific embedded languages , 1996, CSUR.

[15]  Scott Oaks,et al.  Java Threads , 1997 .

[16]  Edwin Brady,et al.  Ivor, a Proof Engine , 2006, IFL.

[17]  Carolyn L. Talcott,et al.  A foundation for actor computation , 1997, Journal of Functional Programming.

[18]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[19]  Saleem N. Bhatti,et al.  Domain Specific Languages (DSLs) for Network Protocols (Position Paper) , 2009, 2009 29th IEEE International Conference on Distributed Computing Systems Workshops.

[20]  Krzysztof Czarnecki,et al.  DSL Implementation in MetaOCaml, Template Haskell, and C++ , 2003, Domain-Specific Program Generation.

[21]  Arie Shoshani,et al.  System Deadlocks , 1971, CSUR.

[22]  Healfdene Goguen A typed operational semantics for type theory , 1994 .

[23]  Benjamin C. Pierce,et al.  Linearity and the pi-calculus , 1999, TOPL.

[24]  Daan Leijen,et al.  Parsec, a fast combinator parser , 2001 .

[25]  Ralf Hinze,et al.  Implementation and Application of Functional Languages , 2012, Lecture Notes in Computer Science.

[26]  Edwin Brady,et al.  A verified staged interpreter is a verified compiler , 2006, GPCE '06.

[27]  Jifeng He,et al.  Towards a truly concurrent model for processes sharing resources , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[28]  Peter Amey,et al.  Correctness By Construction: Better Can Also Be Cheaper , 2002 .

[29]  Tim Sheard,et al.  WHAT IS A PROOF , 2005 .

[30]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[31]  Peter J. Stuckey,et al.  Resource Usage Verification , 2003, APLAS.

[32]  Walid Taha,et al.  Multi-Stage Programming. , 1997, ICFP 1997.

[33]  Walid Taha,et al.  Tagless staged interpreters for typed languages , 2002, ICFP '02.

[34]  Conor McBride,et al.  A Tutorial Implementation of a Dependently Typed Lambda Calculus , 2010, Fundam. Informaticae.

[35]  D. A. Turner,et al.  Elementary Strong Functional Programming , 1995, FPLE.

[36]  Edwin Brady,et al.  A Dependently Typed Framework for Static Analysis of Program Execution Costs , 2005, IFL.

[37]  Simon L. Peyton Jones,et al.  Simple unification-based type inference for GADTs , 2006, ICFP '06.

[38]  Atsushi Igarashi,et al.  Resource usage analysis , 2002, POPL '02.

[39]  Conor McBride,et al.  The view from the left , 2004, Journal of Functional Programming.

[40]  Conor McBride,et al.  Epigram: Practical Programming with Dependent Types , 2004, Advanced Functional Programming.

[41]  Conor McBride,et al.  Inductive Families Need Not Store Their Indices , 2003, TYPES.

[42]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[43]  Lars Birkedal,et al.  Ynot: dependent types for imperative programs , 2008, ICFP 2008.

[44]  Robert Ennals Software Transactional Memory Should Not Be Obstruction-Free , 2005 .

[45]  Greg J. Michaelson,et al.  Hume: A Domain-Specific Language for Real-Time Embedded Systems , 2003, GPCE.

[46]  Naoki Kobayashi,et al.  A Type System for Lock-Free Processes , 2002, Inf. Comput..

[47]  J. Gregory Morrisett,et al.  Towards type-theoretic semantics for transactional concurrency , 2009, TLDI '09.

[48]  Chris Hawblitzel,et al.  Linear types for aliased resources , 2005 .

[49]  Walid Taha,et al.  Multi-Stage Programming: Its Theory and Applications , 1999 .