a gallina subset for c extraction of non structural
play

A Gallina Subset for C Extraction of Non-structural Recursion Akira - PowerPoint PPT Presentation

Feb 03, 2024 •370 likes •868 views

A Gallina Subset for C Extraction of Non-structural Recursion Akira Tanaka National Institute of Advanced Industrial Science and Technology (AIST) 2019-09-08 Outline Our C code generator and its problem Verification of AST including NSR

  1. A Gallina Subset for C Extraction of Non-structural Recursion Akira Tanaka National Institute of Advanced Industrial Science and Technology (AIST) 2019-09-08

  2. Outline ● Our C code generator and its problem ● Verification of AST including NSR (Non-Structural Recursion) ● Example of translation of NSR and GA (GA: our intermediate language) ● Technical details of GA ● Conclusion 2

  3. Our Idea We want a simple C code generator for Coq ● Gallina and C have similar constructs – Both have variables – "let" = "variable initialization" – "function application" = "function call" – "match expression" = "switch statement" ● It should be possible to translate from a first-order subset of Gallina to a subset of C 3

  4. More Practical than It Seems at First ● We implemented the CODEGEN plugin for Coq https://github.com/akr/codegen ● It can generate practical code – HTML escape method usable from Ruby Ruby Extension Library Verified using Coq Proof-assistant, RubyKaigi 2017 – rank algorithm for succinct data structures Safe Low-level Code Generation in Coq using Monomorphization and Monadification, IPSJ-SIGPRO, 2017-06-09 ● They are as fast as hand-written C code 4

  5. Wanted Features for Practical Code Generation ● Monomorphization to support polymorphism ● Customizable inductive type implementation – (Monomorphized) Gallina types directly mapped to C types ● Native C types can be used: 64 bit integer, 128 bit SSE type, etc. – Constructors are implemented in C – switch statements can be customized for each inductive type ● Gallina functions are directly mapped to C functions ● Primitive functions are implemented in C; a "primitive function" can be macro which can use – Binary/unary operators – Compiler builtin such as SSE intrinsics ● Loop without stack consumption – Tail recursions are translated to goto ● Destructive update can be used with linearity checker 5

  6. Problems of Current CODEGEN ● Non-structural recursion (NSR) is not supported because no proof elimination – Some algorithms, such as breadth-first search, needs NSR ● CODEGEN itself is not verified – It is implemented in OCaml 6

  7. Our Plan for the Future CODEGEN2 ● Support NSR This requires limited support for proof elimination ● Rewrite most of code generation in Gallina; This makes possible to verify CODEGEN itself Today's topic: Reflecting Gallina terms with NSR 7

  8. Structure of Future CODEGEN2 Source Reflected C code Gallina term AST Proof C code Coq layer elimination generation OCaml layer reflection Source Gallina AST ● Most of the translation is implemented in Gallina; It is verifiable in Coq ● Source Gallina term reflection still needs OCaml (out of scope of verification) 8

  9. Outline ● Our C code generator and its problem ● Verification of AST including NSR ● Example translation of NSR and GA ● Technical details of GA ● Conclusion 9

  10. Verification of the Reflection We verify the result of the reflection verification: term == eval AST Source eval Reflected Gallina AST This verification doesn't need to term Coq verify OCaml code OCaml reflection Source cf. Œuf [Mullen2018] Gallina AST Question: Is it possible to represent a non-structural recursive term as an AST and verify it? Answer: Possible, for a Gallina subset we define 10

  11. NSR using Coq.Init.Wf.Fix ● Fix constructs fix-term with a decreasing argument ● Fix is useful to prove NSR programs, assuming the axiom of functional extensionality ● Fix supports only one argument ● Multiple arguments version of Fix (Fix2, Fix3, ...) can be defined (it needs a Gallina extension, primitive projections, for reasoning) 11

  12. Our Strategy for NSR ● User writes a source NSR program using Fix, Fix2, ... ● Automatic convertible translation – Expands Fix, Fix2, ... to fix (delta-reduction) – Simplify (beta-reduction) – Insert let for A-normal form (zeta-expansion) ● Construct an AST from an A-normal term (A-normal form: function arguments are local variables) – We define an intermediate language, GA, for this AST ● Verify the AST by checking that evaluation of the AST is convertible to the source program 12

  13. AST Verification Structure Gallina program (can use Fix) GA fix-only A-normal form S AST construction AST S A eval convertible eval AST C program ● S: Source program ● S A : A-normal form of Fix-expanded S ● S, S A and eval AST are convertible ● GA is implemented as inductive types ● Verification of "S A is convertible with eval AST " means 13 " AST represents S correctly"

  14. Outline ● Our C code generator and its problem ● Verification of AST including NSR ● Example translation of NSR and GA ● Technical details of GA ● Conclusion 14

  15. Example with NSR in C (Generated Code) We want to generate C code like: L: switch (i < N) { case false: same as: return true; for (; i < N; i++) {} default: return true; i = i + 1; goto L; } This loop increases i to N which needs NSR in Gallina 15

  16. Example in Gallina (Source Code) We can represent the increasing loop in Gallina using Fix as: Definition upto_F (i : nat) (f : forall (i' : nat), R i' i -> bool) : bool. Proof. refine ( match i < N as b' return (b' = (i < N)) -> bool with | false => fun (H : false = (i < N)) => true | true => fun (H : true = (i < N)) => f i.+1 _(* hole of type R i.+1 i *) end erefl). ... proof for R i.+1 i snipped ... Defined. Definition upto := Fix Rwf (fun _ => bool) upto_F. ● N is a parameter Coq.Init.Wf.Fix ● R x y is the relation: N - x < N - y ● Rwf is a proof of well_founded R Use of Fix is appropriate for proof but not C-friendly because the recursion structure is embedded in Fix 16

  17. C-Friendly Form of the Example (Intermediate Representation) ● upto (previous slide) and upto_noFix (this slide) are convertible Definition upto_body (upto_rec : forall (i : nat), Acc R i -> bool) (i : nat) (a : Acc R i) : bool := let n := N in let Hn : n = N := erefl in let b := i < n in let Hb : b = (i < n) := erefl in match b as b' return b' = b -> bool with | false => fun Hm : false = b => true | true => fun Hm : true = b => let j := i.+1 in let Hj : j = i.+1 := erefl in let a' := upto_lemma i n b j a Hn Hb Hm Hj in upto_rec j a' end erefl. Definition upto_noFix := fun x => (fix upto_rec i a := upto_body upto_rec i a) x (Rwf x) ● Uses fix instead of Fix: the recursion structure is explicit ● A-normal form ● proof part is separated as upto_lemma ● Limited use of higher order function 17

  18. GA: Gallina A-normal Form ● We define GA to represent C-friendly Gallina term simply GA defines a subset of Gallina ● GA provides only "variable", "application", "match" and "let" which can be translated to C easily ● GA distinguishes non-dependent types and dependent types to implement syntactic proof elimination ● GA is an intermediate language. Users don't see it 18

  19. Example in GA (Intermediate Representation) The body of upto_body described in GA: leta n Hn := N in leta b Hb := ltn i n in dmatch b with | false Hm => true | true Hm => leta j Hj := S i in letp a' := upto_lemma i n b j a Hn Hb Hm Hj in upto_rec j a' end GA supports non-structural recursion by equality proof constructing "match" and "let" 19

  20. GA Describes Function Body C-friendly Gallina program: Definition upto_body The function body described in GA: (upto_rec : forall (i : nat), Acc R i -> bool) (i : nat) (a : Acc R i) : bool := leta n Hn := N in let n := N in let Hn : n = N := erefl in leta b Hb := ltn i n in let b := i < n in let Hb : b = (i < n) := erefl in dmatch b with match b as b' return b' = b -> bool with | false Hm => true | false => fun Hm : false = b => true | true Hm => | true => fun Hm : true = b => leta j Hj := S i in let j := i.+1 in let Hj : j = i.+1 := erefl in letp a' := upto_lemma i n b j a Hn Hb Hm Hj in let a' := upto_lemma i n b j a Hn Hb Hm Hj in upto_rec j a' upto_rec j a' end end erefl. 20

  21. Syntax of GA v : non-dependent type local variable f : global function name p : proof variable (dependent type) r : recursive function name C : constructor h : lemma name app = f v 1 ... v n global function application rapp = r v 1 ... v n p 1 ... p m recursive function application papp = h v 1 ... v n p 1 ... p m lemma application exp = v | app | rapp | nmatch v 0 with (| C i v i1 ... v im i => exp) i=1...n end | dmatch v 0 with (| C i v i1 ... v im i p i => exp) i=1...n end p i : C i v i1 ... v im i = v 0 | leta v p := app in exp p : v = app | letr v := rapp in exp | letp p := papp in exp | letn v := match v 0 with (| C i v i1 ... v im i => exp) i=1...n in exp | letd v := match v 0 with (| C i v i1 ... v im i p i => exp) i=1...n in exp p i : C i v i1 ... v im i = v 0 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Structural Induction Principles Suppose Context Free Languages U is a set, I

Structural Induction Principles Suppose Context Free Languages U is a set, I

Structural Induction Principles Suppose Context Free Languages U is a set, I is a subset of U (BASIS), Op is a set of operations on U (INDUCTION). Parse Trees and Ambiguity L is a subset of U defined recursively as

183 views • 7 slides
Extraction of a Whole Brain Structural Connectivity Network (1) High-resolution T1 weighted and

Extraction of a Whole Brain Structural Connectivity Network (1) High-resolution T1 weighted and

Extraction of a Whole Brain Structural Connectivity Network (1) High-resolution T1 weighted and diffusion spectrum MRI (DSI) is acquired. DSI is represented with a zoom on the axial slice of the reconstructed diffusion map, showing an orientation

523 views • 14 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
Experimental SiPM parameter characterization from avalanche triggering probabilities G. Gallina ,

Experimental SiPM parameter characterization from avalanche triggering probabilities G. Gallina ,

Experimental SiPM parameter characterization from avalanche triggering probabilities G. Gallina , J.Kroeger , P. Giampa, F. Retire ,M. Ward, G. Zhang, L. Doria Electron vs hole triggered avalanches D. Orme, PD09 Following up from Oide PD07

398 views • 22 slides
W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

NEW CS 473: Theory II, Fall 2015 Subset Sum Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer positive num- bers, t - target number Question: subset of X s.t. sum of its elements is t ? Lecture 10

200 views • 8 slides
More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

csci 210: Data Structures More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an array that sum up to a given target Permute: finding all permutations of a given string Subset: finding all

436 views • 15 slides
Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Subset Sum Subset Sum Instance : X = { x 1 , . . . , x n } n integer positive num- Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ? Subset Sum SolveSubsetSum ( X , t , M ) b [ 0 . . . Mn ] -

260 views • 5 slides
Anthem Launches IngenioRx Joseph Swedish Chairman, President &amp; CEO John Gallina EVP &amp;

Anthem Launches IngenioRx Joseph Swedish Chairman, President &amp; CEO John Gallina EVP &amp;

Anthem Launches IngenioRx Joseph Swedish Chairman, President &amp; CEO John Gallina EVP &amp; CFO Brian Griffin EVP and President, Commercial and Specialty Business Division Safe Harbor Statement Safe Harbor Statement Under The Private

242 views • 8 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary Tatlock, Dan Grossman 1 Extraction 2 Extraction K coq 2 Extraction K coq 2 Extraction K coq Extraction 2 Extraction K coq Extraction K

1.3k views • 106 slides
Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n. Nonsystematic search of the space for the answer takes O(p2 n ) time, where p is the time needed to evaluate each member of the solution space.

310 views • 4 slides
Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset &amp; Permutation Problems Subset problem of size n. Nonsystematic search of the space for the answer takes O(p2 n ) time, where p is the time needed to evaluate each member of the solution space.

65 views • 5 slides
CSE 311: Foundations of Computing Subset Construction Fall 2013 Subset construction: NFA

CSE 311: Foundations of Computing Subset Construction Fall 2013 Subset construction: NFA

CSE 311: Foundations of Computing Subset Construction Fall 2013 Subset construction: NFA to DFA Lecture 25: Non-regularity and limits of FSMs 0,1 0 a,b a 1 0 1 1 1 b c 0 b c 1 0 0 0

316 views • 6 slides
Declarative Information Extraction Declarative Information Extraction Using Datalog Datalog with

Declarative Information Extraction Declarative Information Extraction Using Datalog Datalog with

Declarative Information Extraction Declarative Information Extraction Using Datalog Datalog with Embedded with Embedded Using Extraction Predicates Extraction Predicates Warren Shen, AnHai Doan, Jeffrey Naughton University of Wisconsin,

566 views • 25 slides
Ultrafast magnetization dynamics: U t a ast ag et at o dy a cs the role of angular momentum

Ultrafast magnetization dynamics: U t a ast ag et at o dy a cs the role of angular momentum

Ultrafast magnetization dynamics: U t a ast ag et at o dy a cs the role of angular momentum Andrei Kirilyuk Radboud University Nijmegen The Netherlands Radboud University Nijmegen, The Netherlands Radboud University Nijmegen 1 Andrei

493 views • 46 slides
Evaluating Performance using Ratio of Execution Times Tomas Kalibera My Background

Evaluating Performance using Ratio of Execution Times Tomas Kalibera My Background

Evaluating Performance using Ratio of Execution Times Tomas Kalibera My Background PL/Systems R language: GNU R, (Purdue) FastR Java: Ovm, OpenJDK Garbage collection, interpretation, analysis Performance/Benchmarking

388 views • 15 slides
Abstract Syntax Aslan Askarov aslan@cs.au.dk Revised from slides by E. Ernst Abstract syntax

Abstract Syntax Aslan Askarov aslan@cs.au.dk Revised from slides by E. Ernst Abstract syntax

Compilation 2014 Abstract Syntax Aslan Askarov aslan@cs.au.dk Revised from slides by E. Ernst Abstract syntax High-level source Pretty printing code Abstract syntax tree Lexing/Parsing Elaboration Lowering Code generation

374 views • 18 slides
Expression trees and S-expressions Representing the structure of programming languages Theory of

Expression trees and S-expressions Representing the structure of programming languages Theory of

Expression trees S-Expressions S-expressions of sum-of-products Expression trees and S-expressions Representing the structure of programming languages Theory of Programming Languages Computer Science Department Wellesley College Expression

199 views • 16 slides
Lecture 8 and 9 Program Differencing EE382V Software Evolution: Spring 2009, Instructor Miryung

Lecture 8 and 9 Program Differencing EE382V Software Evolution: Spring 2009, Instructor Miryung

Lecture 8 and 9 Program Differencing EE382V Software Evolution: Spring 2009, Instructor Miryung Kim Agenda - Lecture 8 and 9 Motivation for Program Differencing Techniques Problem Definition: What is a Program Differencing Problem?

833 views • 50 slides
SAFE Formal Specification and Implementation of a Scalable Analysis Framework for ECMAscript

SAFE Formal Specification and Implementation of a Scalable Analysis Framework for ECMAscript

SAFE Formal Specification and Implementation of a Scalable Analysis Framework for ECMAscript PLRG@KAIST Hongki Lee , Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu Contents Introduction Big Picture Formal Specification

631 views • 25 slides
Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for

Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for

Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for Context-Free Grammars Lars Hermerschmidt, Stephan Kugelmann, Bernhard Rumpe Software Engineering RWTH Aachen http://www.se-rwth.de/ Lars

240 views • 13 slides
Migrating HLint to the GHC API Neil Mitchell ndmitchell.com What is HLint? A tool for

Migrating HLint to the GHC API Neil Mitchell ndmitchell.com What is HLint? A tool for

Migrating HLint to the GHC API Neil Mitchell ndmitchell.com What is HLint? A tool for suggesting possible improvements to Haskell code. https://github.com/ndmitchell/hlint $ hlint darcs-2.1.2 darcs-2.1.2\src\CmdLine.lhs:94:1: Warning:

684 views • 49 slides

More recommend