Semantics of types for mutable state

Proof-carrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of low-level typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, low-level type systems by providing machine-checkable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references—that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higher-order logic. I also show how to construct an indexed possible-worlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a full-fledged low-level typed assembly language. Finally, I present a semantic model for a region calculus that supports type-invariant references as well as memory reuse.

[1]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[2]  Andrew W. Appel,et al.  A type-based compiler for standard ML , 1995, PLDI '95.

[3]  Andrew W. Appel,et al.  Foundational proof checkers with small witnesses , 2003, PPDP '03.

[4]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[5]  Frank J. Oles Functor Categories and Store Shapes , 1997 .

[6]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[7]  Andrew W. Appel,et al.  Machine Instruction Syntax and Semantics in Higher Order Logic , 2000, CADE.

[8]  John C. Reynolds,et al.  Types, Abstraction and Parametric Polymorphism , 1983, IFIP Congress.

[9]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[10]  Andrew M. Pitts,et al.  A Fully Abstract Translation between a Lambda-Calculus with Reference Types and Standard ML , 1995, TLCA.

[11]  Manish Parashar,et al.  Grid Computing — GRID 2002 , 2002, Lecture Notes in Computer Science.

[12]  David Walker,et al.  Typed memory management in a calculus of capabilities , 1999, POPL '99.

[13]  Peter Lee,et al.  TIL: a type-directed, optimizing compiler for ML , 2004, SIGP.

[14]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[15]  Jaakko Hintikka,et al.  Impossible possible worlds vindicated , 1975, J. Philos. Log..

[16]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[17]  Carey Nachenberg,et al.  Computer virus-antivirus coevolution , 1997, Commun. ACM.

[18]  Frank J. Oles,et al.  Type Algebras, Functor Categories, and Block Structure , 1986 .

[19]  李幼升,et al.  Ph , 1989 .

[20]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[21]  Jaroslav Peregrin,et al.  Possible worlds: a critical analysis , 1993 .

[22]  Mark Ryan,et al.  Logic in Computer Science: Modelling and Reasoning about Systems , 2000 .

[23]  Philip Wadler,et al.  The Glasgow Haskell Compiler: a technical overview , 1993 .

[24]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[25]  Carolyn L. Talcott,et al.  1 Equivalence in Functional Languages with E ectsIan , 2007 .

[26]  Thierry Coquand,et al.  The Calculus of Constructions , 1988, Inf. Comput..

[27]  Mads Tofte,et al.  Implementation of the typed call-by-value λ-calculus using a stack of regions , 1994, POPL '94.

[28]  David Walker,et al.  Alias Types for Recursive Data Structures , 2000, Types in Compilation.

[29]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[30]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[31]  Karl Crary,et al.  Toward a foundational typed assembly language , 2003, POPL '03.

[32]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[33]  Mads Tofte,et al.  Type Inference for Polymorphic References , 1990, Inf. Comput..

[34]  George C. Necula,et al.  Oracle-based checking of untrusted software , 2001, POPL '01.

[35]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[36]  David Walker,et al.  Alias Types , 2000, ESOP.

[37]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[38]  John C. Mitchell,et al.  Abstract types have existential type , 1988, TOPL.

[39]  Andrew W. Appel,et al.  A low-level typed assembly language with a machine-checkable soundness proof , 2004 .

[40]  Luca Cardelli,et al.  Comparing Object Encodings , 1997, Inf. Comput..

[41]  Andrew W. Appel,et al.  A Trustworthy Proof Checker , 2004, Journal of Automated Reasoning.

[42]  Mitchell Wand,et al.  Denotational semantics using an operationally-based term model , 1997, POPL '97.

[43]  Benjamin C. Pierce,et al.  Logical Relations for Encryption , 2001, J. Comput. Secur..

[44]  Dan R. Ghica,et al.  Abstract Models of Storage , 2000, High. Order Symb. Comput..

[45]  Andrew M. Pitts Existential Types: Logical Relations and Operational Equivalence , 1998, ICALP.

[46]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[47]  I. Stark,et al.  Domains and Denotational Semantics History Accomplishments and Open Problems , 1996 .

[48]  Greg Morrisett,et al.  Typed memory management , 2001 .

[49]  Frank J. Oles,et al.  A category-theoretic approach to the semantics of programming languages , 1982 .

[50]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[51]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[52]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[53]  C. Pollard,et al.  Center for the Study of Language and Information , 2022 .

[54]  Philip Wadler,et al.  Theorems for free! , 1989, FPCA.

[55]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[56]  Robert D. Tennent,et al.  Semantics of programming languages , 1991, Prentice Hall International Series in Computer Science.

[57]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[58]  Dan Grossman Existential Types for Imperative Languages , 2002, ESOP.

[59]  Franklyn Turbak,et al.  Strongly Typed Flow-Directed Representation Transformations. , 1997, ICFP 1997.

[60]  Gordon D. Plotkin,et al.  An ideal model for recursive polymorphic types , 1984, Inf. Control..

[61]  John C. Reynolds,et al.  The essence of ALGOL , 1997 .

[62]  Robert Harper,et al.  A Simplified Account of Polymorphic References , 1994, Inf. Process. Lett..

[63]  Andrew W. Appel,et al.  A provably sound TAL for back-end optimization , 2003, PLDI '03.

[64]  George C. Necula,et al.  Efficient representation and validation of proofs , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[65]  Douglas J. Howe Equality in lazy computation systems , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[66]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[67]  Ian David Bede Stark,et al.  Names and higher-order functions , 1994 .

[68]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[69]  Paul Blain Levy,et al.  Possible World Semantics for General Storage in Call-By-Value , 2002, CSL.

[70]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[71]  David Walker,et al.  Reasoning about hierarchical storage , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[72]  Peter Aczel,et al.  Non-well-founded sets , 1988, CSLI lecture notes series.

[73]  Glynn Winskel,et al.  Domain Theoretic Models of Polymorphism , 1989, Inf. Comput..

[74]  Robin Milner,et al.  Co-Induction in Relational Semantics , 1991, Theor. Comput. Sci..

[75]  Mads Tofte,et al.  Region-based Memory Management , 1997, Inf. Comput..

[76]  Andrew M. Pitts,et al.  Operational Semantics and Program Equivalence , 2000, APPSEM.

[77]  Jr. Allen B. Tucker,et al.  The Computer Science and Engineering Handbook , 1997 .

[78]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[79]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[80]  Andrew W. Appel,et al.  A stratified semantics of general references embeddable in higher-order logic , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[81]  Lawrence S. Moss,et al.  Vicious circles - on the mathematics of non-wellfounded phenomena , 1996, CSLI lecture notes series.

[82]  Andrew M. Pitts,et al.  Observable Properties of Higher Order Functions that Dynamically Create Local Names, or What's new? , 1993, MFCS.

[83]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[84]  Robert Harper,et al.  Typed closure conversion , 1996, POPL '96.

[85]  Carolyn L. Talcott,et al.  Inferring the Equivalence of Functional Programs That Mutate Data , 1992, Theor. Comput. Sci..

[86]  WadlerPhilip,et al.  Report on the programming language Haskell , 1992 .

[87]  Robert Harper,et al.  A Note on "A Simplified Account of Polymorphic References" , 1996, Inf. Process. Lett..

[88]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[89]  Mahesh Viswanathan,et al.  Foundations for the run-time analysis of software systems , 2000 .

[90]  Jonathan Rees,et al.  Revised3 report on the algorithmic language scheme , 1986, SIGP.

[91]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[92]  Andrew W. Appel,et al.  A semantic model of types and machine instructions for proof-carrying code , 2000, POPL '00.

[93]  Andrew M. Pitts,et al.  Relational Properties of Domains , 1996, Inf. Comput..

[94]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[95]  Douglas J. Howe Proving Congruence of Bisimulation in Functional Programming Languages , 1996, Inf. Comput..

[96]  Paul Blain Levy,et al.  Call-by-push-value , 2022, ACM SIGLOG News.

[97]  Andrew M. Pitts,et al.  Parametric polymorphism and operational equivalence , 2000, Mathematical Structures in Computer Science.

[98]  Albert R. Meyer,et al.  Full Abstraction and the Context Lemma , 1991, TACS.

[99]  George C. Necula,et al.  A certifying compiler for Java , 2000, PLDI '00.

[100]  Zhong Shao,et al.  A Syntactic Approach to Foundational Proof-Carrying Code , 2004, Journal of Automated Reasoning.

[101]  Zhong Shao,et al.  A type-preserving compiler infrastructure , 2002 .

[102]  Robin Milner,et al.  Fully Abstract Models of Typed lambda-Calculi , 1977, Theor. Comput. Sci..

[103]  Guillermo E. Herrera Automating the meta theory of deductive systems , 2000 .

[104]  Peter Deutsch,et al.  A Flexible Measurement Tool for Software Systems , 1971, IFIP Congress.

[105]  Andrew W. Appel,et al.  Construction of a Semantic Model for a Typed Assembly Language , 2004, VMCAI.

[106]  Christine Paulin-Mohring,et al.  Inductive Definitions in the system Coq - Rules and Properties , 1993, TLCA.

[107]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[108]  Dominic J. D. Hughes Games and definability for system F , 1997, Proceedings of Twelfth Annual IEEE Symposium on Logic in Computer Science.

[109]  Zhong Shao,et al.  Precision in Practice: A Type-Preserving Java Compiler , 2003, CC.

[110]  Frank Pfenning,et al.  Eliminating array bound checking through dependent types , 1998, PLDI.

[111]  Carolyn L. Talcott,et al.  Axiomatizing operational equivalence in the presence of side effects , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[112]  Carolyn L. Talcott,et al.  References, local variables and operational reasoning , 1992, [1992] Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science.

[113]  Samson Abramsky,et al.  A fully abstract game semantics for general references , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[114]  Andrew W. Appel,et al.  Typed machine language , 2003 .

[115]  Andrew W. Appel,et al.  An Indexed Model of Impredicative Polymorphism and Mutable References , 2003 .