SLIDE 1
Fast machine words in
λ → ∀
=
I s a b e l l e
β α
H O L
Andreas Lochbihler
Digital Asset (Switzerland) GmbH
Code generation in
λ → ∀
=
I s a b e l l e
β α
H O L
executable definitions code generator FFI
Haskell SML
2
Fast machine words in I = Andreas Lochbihler Digital - - PowerPoint PPT Presentation
Fast machine words in I = Andreas Lochbihler Digital - - PowerPoint PPT Presentation
e H l O l L e b a s Fast machine words in I = Andreas Lochbihler Digital Asset (Switzerland) GmbH e H O l l L e b Code generation in a s I = code executable generator
SLIDE 2
SLIDE 3
Code generation in
λ → ∀
=
I s a b e l l e
β α
H O L
executable definitions code generator FFI
Haskell SML
proving evaluation
3
SLIDE 4
Code generation in
λ → ∀
=
I s a b e l l e
β α
H O L
executable definitions code generator FFI
Haskell SML
proving evaluation + ∗ & < <
4
SLIDE 5
Code generation in
λ → ∀
=
I s a b e l l e
β α
H O L
executable definitions code generator FFI
Haskell SML
proving evaluation + ∗ & < <
Native Word
5
SLIDE 6
Code generation in
λ → ∀
=
I s a b e l l e
β α
H O L
executable definitions code generator FFI
Haskell SML
proving evaluation + ∗ & < <
Native Word
TCB
6
SLIDE 7
Code generation in
λ → ∀
=
I s a b e l l e
β α
H O L
executable definitions code generator FFI
Haskell SML
proving evaluation + ∗ & < <
Native Word
TCB
Requirements:
- efficient
- support all target languages
- validated
7
SLIDE 8
Code generation in
λ → ∀
=
I s a b e l l e
β α
H O L
executable definitions code generator FFI
Haskell SML
proving evaluation + ∗ & < <
Native Word
Isabelle/CakeML TCB
Requirements:
- efficient
- support all target languages
- validated
8
SLIDE 9
What is the result on 32-bit words?
−5 mod 3 =
9
SLIDE 10
What is the result on 32-bit words?
−5 mod 3 =
Isabelle 2 OCaml 1 Scala 1 Haskell 2 SML 2
10
SLIDE 11
What is the result on 32-bit words?
−5 mod 3 =
Isabelle 2 OCaml 1 Scala 1 Haskell 2 SML 2
1 < < (231 + 1)=
11
SLIDE 12
What is the result on 32-bit words?
−5 mod 3 =
Isabelle 2 OCaml 1 Scala 1 Haskell 2 SML 2
1 < < (231 + 1)=
Isabelle OCaml unspecified Scala 2 Haskell unspecified SML implementation-defined
12
SLIDE 13
What is the result on 32-bit words?
−5 mod 3 =
Isabelle 2 OCaml 1 Scala 1 Haskell 2 SML 2
1 < < (231 + 1)=
Isabelle OCaml unspecified Scala 2 Haskell unspecified SML implementation-defined PolyML 32-bit 2 PolyML 64-bit
13
SLIDE 14
Available bit-widths
bits PolyML SMLNJ mlton OCaml GHC Scala 32 64 32 64 8 √ √ √ √ √ √ 16 √ √ √ 32 √ √ √ √ √ √ √ √ 64 √ √ √ √ √ √ √ default 31 63 31 32 31 63 ≥ 30 32 = signed operations only
14
SLIDE 15
Let’s abstract over these differences I
α word ≃ {0, . . . , 2α − 1}
- perations
theorems applications HOL-Word (Dawson et al.) uint8 uint16 uint32 uint64 uint
- perations
proofs Native Word copy lift transfer FFI
Haskell SML
15
SLIDE 16
Let’s abstract over these differences II
- 1. Identify subset of common behaviour
definition divmod-abs x y = (|x| div |y| , |x| mod |y|)
- 2. Reduce to restricted behaviour
lemma [code]: divmod x y = . . . if sgn x = sgn y then divmod-abs x y else . . .
- 3. Common FFI for all languages
code-printing divmod-abs → (Haskell) divMod (abs ) (abs
)
(OCaml) . . . (Scala) . . . (SML) . . .
Conventional approach
16
SLIDE 17
Let’s abstract over these differences II
- 1. Identify subset of common behaviour
definition divmod-abs x y = (|x| div |y| , |x| mod |y|)
- 2. Reduce to restricted behaviour
lemma [code]: divmod x y = . . . if sgn x = sgn y then divmod-abs x y else . . .
- 3. Common FFI for all languages
code-printing divmod-abs → (Haskell) divMod (abs ) (abs
)
(OCaml) . . . (Scala) . . . (SML) . . .
Conventional approach 2 case distinctions on the sign of each operand PolyML: 2X slowdown
17
SLIDE 18
Let’s abstract over these differences II
- 1. Identify subset of common behaviour
definition divmod-abs x y = (|x| div |y| , |x| mod |y|)
- 2. Reduce to restricted behaviour
lemma [code]: divmod x y = . . . if sgn x = sgn y then divmod-abs x y else . . .
- 3. Common FFI for all languages
code-printing divmod-abs → (Haskell) divMod (abs ) (abs
)
(OCaml) . . . (Scala) . . . (SML) . . .
Conventional approach
- 1. Model behaviours of target languages
definition uint32-div x y = . . . definition uint32-sdiv x y = . . .
- 2. Build cascade of models
lemma [code]: div x y = . . . uint32-div . . . uint32-div x y = . . . uint32-sdiv . . .
- 3. One FFI for each language
code-printing uint32-div → (Haskell) Prelude.div code-printing uint32-sdiv → (OCaml) Int32.div code-printing . . . → . . .
Cascading
SLIDE 19
Let’s abstract over these differences II
- 1. Identify subset of common behaviour
definition divmod-abs x y = (|x| div |y| , |x| mod |y|)
- 2. Reduce to restricted behaviour
lemma [code]: divmod x y = . . . if sgn x = sgn y then divmod-abs x y else . . .
- 3. Common FFI for all languages
code-printing divmod-abs → (Haskell) divMod (abs ) (abs
)
(OCaml) . . . (Scala) . . . (SML) . . .
Conventional approach
- 1. Model behaviours of target languages
definition uint32-div x y = . . . definition uint32-sdiv x y = . . .
- 2. Build cascade of models
lemma [code]: div x y = . . . uint32-div . . . uint32-div x y = . . . uint32-sdiv . . .
- 3. One FFI for each language
code-printing uint32-div → (Haskell) Prelude.div code-printing uint32-sdiv → (OCaml) Int32.div code-printing . . . → . . .
Cascading uint32-sdiv uint32-div divuint32 div32 word . . .
SML Haskell
19
SLIDE 20
What about unspecified behaviour?
x << n is undefined if n > 32 Underspecification in OCaml definition uint32-shiftl x n = if n ≤ 32 then x < < n else undefined (< <) x n lemma [code]: x < < n = if n ≤ 32 then uint32-shiftl x n else 0 Underspecification in HOL code-printing
20
SLIDE 21
Underspecification leads to refinement
HOL axioms definitions Correctness w/o underspecification: If code c terminates with result r, then we can derive c = r.
SLIDE 22
Underspecification leads to refinement
HOL axioms definitions Correctness w/o underspecification: If code c terminates with result r, then we can derive c = r. Correctness with underspecification: Every derivable property of the code c applies to the result r.
22
SLIDE 23
Underspecification leads to refinement
c = 23 (εx. x > 0) = 1 c = 42 (εx. x > 0) = 2 c = 17 (εx. x > 0) = 3 HOL axioms definitions Correctness w/o underspecification: If code c terminates with result r, then we can derive c = r. Correctness with underspecification: Every derivable property of the code c applies to the result r.
23
SLIDE 24
Underspecification leads to refinement
c = 23 (εx. x > 0) = 1 c = 42 (εx. x > 0) = 2 c = 17 (εx. x > 0) = 3 HOL axioms definitions
Haskell
Correctness w/o underspecification: If code c terminates with result r, then we can derive c = r. Correctness with underspecification: Every derivable property of the code c applies to the result r. Running underspecified functions introduces refinement!
24
SLIDE 25
Underspecification leads to refinement
c = 23 (εx. x > 0) = 1 c = 42 (εx. x > 0) = 2 c = 17 (εx. x > 0) = 3 HOL axioms definitions
Haskell
Correctness w/o underspecification: If code c terminates with result r, then we can derive c = r. Correctness with underspecification: Every derivable property of the code c applies to the result r. Running underspecified functions introduces refinement! Forbid underspecification for proofs!
25
SLIDE 26
Default word size with underspecified bit width
bits PolyML SMLNJ mlton OCaml GHC Scala 32 64 32 64 8 √ √ √ √ √ √ 16 √ √ √ 32 √ √ √ √ √ √ √ √ 64 √ √ √ √ √ √ √ default 31 63 31 32 31 63 > 30 32
26
SLIDE 27
Default word size with underspecified bit width
bits PolyML SMLNJ mlton OCaml GHC Scala 32 64 32 64 8 √ √ √ √ √ √ 16 √ √ √ 32 √ √ √ √ √ √ √ √ 64 √ √ √ √ √ √ √ default 31 63 31 32 31 63 > 30 32 uint Unspecified bit size
27
SLIDE 28
Default word size with underspecified bit width
bits PolyML SMLNJ mlton OCaml GHC Scala 32 64 32 64 8 √ √ √ √ √ √ 16 √ √ √ 32 √ √ √ √ √ √ √ √ 64 √ √ √ √ √ √ √ default 31 63 31 32 31 63 > 30 32 uint Unspecified bit size
◮ hashing ◮ bit vectors ◮ dynamic implementation choices based on input size
28
SLIDE 29
Validation
◮ Framework to run test cases from within Isabelle/HOL
test-code 251 div 3 = 83 in Scala
29
SLIDE 30
Validation
◮ Framework to run test cases from within Isabelle/HOL
test-code 251 div 3 = 83 in Scala SMLNJ MLton GHC PolyML
◮ Test cases for all operations on uint∗
30
SLIDE 31
Validation
◮ Framework to run test cases from within Isabelle/HOL
test-code 251 div 3 = 83 in Scala SMLNJ MLton GHC PolyML
◮ Test cases for all operations on uint∗ ◮ Revealed many errors in the FFI mapping – now fixed ◮ Found one error in PolyML 5.6 in 64-bit mode – fixed in 5.7
18446744073709551611 div 3 evaluates to 1431655763
31
SLIDE 32
Usage and Benchmarks
Usage:
◮ IsaFoR (Berlekamp-Zassenhaus) ◮ Fleury’s verified SAT solver ◮ CAVA model checker ◮ Z¨
ust’s TLS experiment
32
SLIDE 33
Usage and Benchmarks
Usage:
◮ IsaFoR (Berlekamp-Zassenhaus) ◮ Fleury’s verified SAT solver ◮ CAVA model checker ◮ Z¨
ust’s TLS experiment Factor 400 polynomials over Z/pkZ Strategies:
- 1. Use unbounded GMP integers int.
- 2. If pk < 216 use uint32.
If pk < 232 use uint64. Else use int
- 3. If pk < 2default/2 use uint.
Else use int.
33
SLIDE 34
Usage and Benchmarks
Usage:
◮ IsaFoR (Berlekamp-Zassenhaus) ◮ Fleury’s verified SAT solver ◮ CAVA model checker ◮ Z¨
ust’s TLS experiment Factor 400 polynomials over Z/pkZ Strategies:
- 1. Use unbounded GMP integers int.
- 2. If pk < 216 use uint32.
If pk < 232 use uint64. Else use int
- 3. If pk < 2default/2 use uint.
Else use int. GHC 2 is 18 % faster than 1. PolyML 3 is 4 % faster than 2.
34
SLIDE 35
Takeaways
- 1. Cascade pattern
- 2. Model-theoretic underspecification
x = 5 x = 7 HOL Haskell PolyML
35
SLIDE 36
Takeaways
- 1. Cascade pattern
- 2. Model-theoretic underspecification
x = 5 x = 7 HOL Haskell PolyML
Try it out!
Native Word
in the Archive of Formal Proofs
www.isa-afp.org/entries/Native Word.html
Testing framework
in the Isabelle distribution
HOL-Library.Code Test
36