Arxiv:2011.03076V2 [Cs.PL] 12 Jan 2021 Epeetapicpe Hoeia Rmwr O Inferring for Framework Theoretical Principled a Present We Oki Eei N Aiyextensible

Total Page:16

File Type:pdf, Size:1020Kb

Arxiv:2011.03076V2 [Cs.PL] 12 Jan 2021 Epeetapicpe Hoeia Rmwr O Inferring for Framework Theoretical Principled a Present We Oki Eei N Aiyextensible Towards a more perfect union type Michał J. Gajda Abstract derive JSON types [2]1. This approach requires considerable We present a principled theoretical framework for inferring engineering time due to the implementation of unit tests in and checking the union types, and show its work in practice a case-by-case mode, instead of formulating laws applying on JSON data structures. to all types. Moreover, this approach lacks a sound underly- The framework poses a union type inference as a learn- ing theory. Regular expression types were also used to type ing problem from multiple examples. The categorical frame- XML documents [13], which does not allow for selecting al- work is generic and easily extensible. ternative representation. In the present study, we generalize previously introduced approaches and enable a systematic CCS Concepts: • Software and its engineering → Gen- addition of not only value sets, but inference subalgorithms, eral programming languages; • Social and professional to the union type system. topics → History of programming languages. 1.1.2 Frameworks for describing type systems. Type ACM Reference Format: systems are commonly expressed as partial relation of typ- Michał J. Gajda. 2020. Towards a more perfect union type. In Pro- ing. Their properties, such as subject reduction are also ex- ceedings of 32nd International Symposium on Implementation and pressed relatively to the relation (also partial) of reduction Application of Functional Languages (IFL2020). ACM, New York, NY, USA, 14 pages. within a term rewriting system. General formulations have been introduced for the Damas-Milner type systems param- eterized by constraints [23]. It is also worth noting that tradi- 1 Introduction tional Damas-Milner type disciplines enjoy decidability, and Typing dynamic languages has been long considered a chal- embrace the laws of soundness, and subject-reduction. How- lenge [3]. The importance of the task grown with the ubiq- ever these laws often prove too strict during type system uity cloud application programming interfaces (APIs) utiliz- extension, dependent type systems often abandon subject- ing JavaScript object notation (JSON), where one needs to reduction, and type systems of widely used programming infer the structure having only a limited number of sample languages are either undecidable [21], or even unsound [27]. documents available. Previous research has suggested it is Early approaches used lattice structure on the types [25], possible to infer adequate type mappings from sample data which is more stringent than ours since it requires idem- [2, 8, 14, 20]. potence of unification (as join operation), as well as com- In the present study, we expand on these results. We pro- plementary meet operation with the same properties. Se- pose a modular framework for type systems in program- mantic subtyping approach provides a characterization of ming languages as learning algorithms, formulate it as equa- a set-based union, intersection, and complement types [9, tional identities, and evaluate its performance on inference 10], which allows model subtype containment on first-order of Haskell data types from JSON API examples. types and functions. This model relies on building a model using infinite sets in set theory, but its rigidity fails to gen- 2 arXiv:2011.03076v2 [cs.PL] 12 Jan 2021 1.1 Related work eralize to non-idempotent learning . We are also not aware of a type inference framework that consistently and com- 1.1.1 Union type providers. The earliest practical effort pletely preserve information in the face of inconsistencies to apply union types to JSON inference to generate Haskell nor errors, beyond using bottom and expanding to infamous types [14]. It uses union type theory, but it also lacks an ex- undefined behaviour [5]. tensible theoretical framework. F# type providers for JSON We propose a categorical and constructive framework that facilitate deriving a schema automatically; however, a type preserves the soundness in inference while allowing for con- system does not support union of alternatives and is given sistent approximations. Indeed our experience is that most shape inference algorithm, instead of design driven by de- of the type system implementation may be generic. sired properties [20]. The other attempt to automatically in- fer schemas has been introduced in the PADS project [8]. Nevertheless, it has not specified a generalized type-system design methodology. One approach uses Markov chains to 1This approach uses Markov chains to infer best of alternative type representations. 2Which would allow extension with machine learning techniques like IFL2020, September, 2020, Markov chains to infer optimal type representation from frequency of oc- 2020. curing values[2]. IFL2020, September, 2020, Michał J. Gajda 2 Motivation data Example = Example { f_6408f5 :: O_6408f5 Here, we consider several examples similar to JSON API de- , f_54fced :: O_6408f5 scriptions. We provide these examples in the form of a few , f_6c9589 :: O_6408f5 } JSON objects, along with desired representation as Haskell data O_6408f5 = O_6408f5 { size, height :: Int data declaration. , difficulty :: Double , previous :: String } 1. Subsets of data within a single constructor: However, when this object has multiple keys with values a. API argument is an email – it is a subset of valid of the same structure, the best representation is that of a String values that can be validated on the client- mapping shown below. This is also an example of when user side. may decide to explicitly add evidence for one of the alter- b. The page size determines the number of results to re- native representations in the case when input samples are turn (min: 10, max:10,000) – it is also a subset of in- insufficient. (like when input samples only contain a single teger values (Int) between 10, and 10, 000 element dictionary.) c. The date field contains ISO8601 date – a record field data ExampleMap = ExampleMap ( Map Hex ExampleElt) represented as a String that contains a calendar data ExampleElt = ExampleElt { date in the format "2019-03-03" size :: Int , height :: Int 2. Optional fields: The page size is equal to 100 by default , difficulty :: Double – it means we expect to see the record like {"page_size": , previous :: String } 50} or an empty record {} that should be interpreted in the same way as {"page_size": 100} 2.1 Goal of inference 3. Variant fields: Answer to a query is either a number Given an undocumented (or incorrectly labelled) JSON API, of registered objects, or String "unavailable" - this is we may need to read the input of Haskell encoding and integer value (Int)ora String (Int :|: String) avoid checking for the presence of unexpected format devia- 4. Variant records: Answer contains either a text message tions. At the same time, we may decide to accept all known 3 with a user identifier or an error. – That can be repre- valid inputs outright so that we can use types to ensure sented as one of following options: that the input is processed exhaustively. Accordingly, we can assume that the smallest non-singleton {"message": "Where can I submit proposal?", "uid" : 1014}set is a better approximation type than a singleton set. We {"message": "Submit it to HotCRP", "uid":call 317} it minimal containing set principle. {"error" : "Authorization failed", "code": 401}Second, we can prefer types that allow for a fewer num- {"error" : "User not found", "code":ber 404} of degrees of freedom compared with the others, while data Example4 = Message { message :: String conforming to a commonly occurring structure. We denote , uid :: Int } it as an information content principle. | Error { error :: String Given these principles, and examples of frequently oc- , code :: Int } curring patterns, we can infer a reasonable world of types that approximate sets of possible values. In this way, we 5. Arrays corresponding to records: can implement type system engineering that allows deriving type system design directly from the information about data [ [1, "Nick", null ] structures and the likelihood of their occurrence. , [2, "George", "2019-04-11"] , [3, "Olivia", "1984-05-03"] ] 3 Problem definition 6. Maps of identical objects (example from [2]): As we focus on JSON, we utilize Haskell encoding of the { "6408f5": { "size": 969709 , "height":JSON 510599 term for convenient reading(from Aeson package [1]); , "difficulty": 866429.732, "previous":specified"54fced" as follows:}, "54fced": { "size": 991394 , "height": 510598data Value = Object (Map String Value) , "difficulty": 866429.823, "previous": "6c9589" }, | Array [ Value ] "6c9589": { "size": 990527 , "height": 510597 | Null , "difficulty": 866429.931, "previous": "51a0cb" } }| Number Scientific | String Text It should be noted that the last example presented above | Bool Bool requires Haskell representation inference to be non-monotonic, as an example of object with onlya single key would be best represented by a record type: 3Compiler feature of checking for unmatched cases. Towards a more perfect union type IFL2020, September, 2020, 3.1 Defining type inference correspond to a statically assigned and a narrow type. In 3.1.1 Information in the type descriptions. If an infer- this setting, mempty would be fully polymorphic type ∀0.0. ence fails, it is always possible to correct it by introducing an Languages with dynamic type discipline will treat beyond additional observation (example). To denote unification op- as untyped, dynamic value and mempty again is an entirely eration, or information fusion between two type descrip- unknown, polymorphic value (like a type of an element of 6 tions, we use a Semigroup interface operation <> to merge an empty array) . types inferred from different observations. If the semigroup class (Monoid t , Eq t, Show t) is a semilattice, then <> is meet operation (least upper bound). => Typelike t where Note that this approach is dual to traditional unification that beyond :: t -> Bool narrows down solutions and thus is join operation (greatest Besides, the standard laws for a commutative Monoid, lower bound). We use a neutral element of the Monoid to we state the new law for the beyond set: The beyond set indicate a type corresponding to no observations.
Recommended publications
  • Create Union Variables Difference Between Unions and Structures
    Union is a user-defined data type similar to a structure in C programming. How to define a union? We use union keyword to define unions. Here's an example: union car { char name[50]; int price; }; The above code defines a user define data type union car. Create union variables When a union is defined, it creates a user-define type. However, no memory is allocated. To allocate memory for a given union type and work with it, we need to create variables. Here's how we create union variables: union car { char name[50]; int price; } car1, car2, *car3; In both cases, union variables car1, car2, and a union pointer car3 of union car type are created. How to access members of a union? We use . to access normal variables of a union. To access pointer variables, we use ->operator. In the above example, price for car1 can be accessed using car1.price price for car3 can be accessed using car3->price Difference between unions and structures Let's take an example to demonstrate the difference between unions and structures: #include <stdio.h> union unionJob { //defining a union char name[32]; float salary; int workerNo; } uJob; struct structJob { char name[32]; float salary; int workerNo; } sJob; main() { printf("size of union = %d bytes", sizeof(uJob)); printf("\nsize of structure = %d bytes", sizeof(sJob)); } Output size of union = 32 size of structure = 40 Why this difference in size of union and structure variables? The size of structure variable is 40 bytes. It's because: size of name[32] is 32 bytes size of salary is 4 bytes size of workerNo is 4 bytes However, the size of union variable is 32 bytes.
    [Show full text]
  • [Note] C/C++ Compiler Package for RX Family (No.55-58)
    RENESAS TOOL NEWS [Note] R20TS0649EJ0100 Rev.1.00 C/C++ Compiler Package for RX Family (No.55-58) Jan. 16, 2021 Overview When using the CC-RX Compiler package, note the following points. 1. Using rmpab, rmpaw, rmpal or memchr intrinsic functions (No.55) 2. Performing the tail call optimization (No.56) 3. Using the -ip_optimize option (No.57) 4. Using multi-dimensional array (No.58) Note: The number following the note is an identification number for the note. 1. Using rmpab, rmpaw, rmpal or memchr intrinsic functions (No.55) 1.1 Applicable products CC-RX V2.00.00 to V3.02.00 1.2 Details The execution result of a program including the intrinsic function rmpab, rmpaw, rmpal, or the standard library function memchr may not be as intended. 1.3 Conditions This problem may arise if all of the conditions from (1) to (3) are met. (1) One of the following calls is made: (1-1) rmpab or __rmpab is called. (1-2) rmpaw or __rmpaw is called. (1-3) rmpal or __rmpal is called. (1-4) memchr is called. (2) One of (1-1) to (1-3) is met, and neither -optimize=0 nor -noschedule option is specified. (1-4) is met, and both -size and -avoid_cross_boundary_prefetch (Note 1) options are specified. (3) Memory area that overlaps with the memory area (Note2) read by processing (1) is written in a single function. (This includes a case where called function processing is moved into the caller function by inline expansion.) Note 1: This is an option added in V2.07.00.
    [Show full text]
  • Coredx DDS Type System
    CoreDX DDS Type System Designing and Using Data Types with X-Types and IDL 4 2017-01-23 Table of Contents 1Introduction........................................................................................................................1 1.1Overview....................................................................................................................2 2Type Definition..................................................................................................................2 2.1Primitive Types..........................................................................................................3 2.2Collection Types.........................................................................................................4 2.2.1Enumeration Types.............................................................................................4 2.2.1.1C Language Mapping.................................................................................5 2.2.1.2C++ Language Mapping.............................................................................6 2.2.1.3C# Language Mapping...............................................................................6 2.2.1.4Java Language Mapping.............................................................................6 2.2.2BitMask Types....................................................................................................7 2.2.2.1C Language Mapping.................................................................................8 2.2.2.2C++ Language Mapping.............................................................................8
    [Show full text]
  • Julia's Efficient Algorithm for Subtyping Unions and Covariant
    Julia’s Efficient Algorithm for Subtyping Unions and Covariant Tuples Benjamin Chung Northeastern University, Boston, MA, USA [email protected] Francesco Zappa Nardelli Inria of Paris, Paris, France [email protected] Jan Vitek Northeastern University, Boston, MA, USA Czech Technical University in Prague, Czech Republic [email protected] Abstract The Julia programming language supports multiple dispatch and provides a rich type annotation language to specify method applicability. When multiple methods are applicable for a given call, Julia relies on subtyping between method signatures to pick the correct method to invoke. Julia’s subtyping algorithm is surprisingly complex, and determining whether it is correct remains an open question. In this paper, we focus on one piece of this problem: the interaction between union types and covariant tuples. Previous work normalized unions inside tuples to disjunctive normal form. However, this strategy has two drawbacks: complex type signatures induce space explosion, and interference between normalization and other features of Julia’s type system. In this paper, we describe the algorithm that Julia uses to compute subtyping between tuples and unions – an algorithm that is immune to space explosion and plays well with other features of the language. We prove this algorithm correct and complete against a semantic-subtyping denotational model in Coq. 2012 ACM Subject Classification Theory of computation → Type theory Keywords and phrases Type systems, Subtyping, Union types Digital Object Identifier 10.4230/LIPIcs.ECOOP.2019.24 Category Pearl Supplement Material ECOOP 2019 Artifact Evaluation approved artifact available at https://dx.doi.org/10.4230/DARTS.5.2.8 Acknowledgements The authors thank Jiahao Chen for starting us down the path of understanding Julia, and Jeff Bezanson for coming up with Julia’s subtyping algorithm.
    [Show full text]
  • Type-Check Python Programs with a Union Type System
    日本ソフトウェア科学会第 37 回大会 (2020 年度) 講演論文集 Type-check Python Programs with a Union Type System Senxi Li Tetsuro Yamazaki Shigeru Chiba We propose that a simple type system and type inference can type most of the Python programs with an empirical study on real-world code. Static typing has been paid great attention in the Python language with its growing popularity. At the same time, what type system should be adopted by a static checker is quite a challenging task because of Python's dynamic nature. To exmine whether a simple type system and type inference can type most of the Python programs, we collected 806 Python repositories on GitHub and present a preliminary evaluation over the results. Our results reveal that most of the real-world Python programs can be typed by an existing, gradual union type system. We discovered that 82.4% of the ex- pressions can be well typed under certain assumptions and conditions. Besides, expressions of a union type are around 3%, which indicates that most of Python programs use simple, literal types. Such preliminary discovery progressively reveals that our proposal is fairly feasible. while the effectiveness of the type system has not 1 Introduction been empirically studied. Other works such as Py- Static typing has been paid great attention in type implement a strong type inferencer instead of the Python language with its growing popularity. enforcing type annotations. At the same time, what type system should be As a dynamically typed language, Python excels adopted by a static checker is quite a challenging at rapid prototyping and its avail of metaprogram- task because of Python's dynamic nature.
    [Show full text]
  • Software II: Principles of Programming Languages
    Software II: Principles of Programming Languages Lecture 6 – Data Types Some Basic Definitions • A data type defines a collection of data objects and a set of predefined operations on those objects • A descriptor is the collection of the attributes of a variable • An object represents an instance of a user- defined (abstract data) type • One design issue for all data types: What operations are defined and how are they specified? Primitive Data Types • Almost all programming languages provide a set of primitive data types • Primitive data types: Those not defined in terms of other data types • Some primitive data types are merely reflections of the hardware • Others require only a little non-hardware support for their implementation The Integer Data Type • Almost always an exact reflection of the hardware so the mapping is trivial • There may be as many as eight different integer types in a language • Java’s signed integer sizes: byte , short , int , long The Floating Point Data Type • Model real numbers, but only as approximations • Languages for scientific use support at least two floating-point types (e.g., float and double ; sometimes more • Usually exactly like the hardware, but not always • IEEE Floating-Point Standard 754 Complex Data Type • Some languages support a complex type, e.g., C99, Fortran, and Python • Each value consists of two floats, the real part and the imaginary part • Literal form real component – (in Fortran: (7, 3) imaginary – (in Python): (7 + 3j) component The Decimal Data Type • For business applications (money)
    [Show full text]
  • The RPC Abstraction
    The RPC abstraction • Procedure calls well-understood mechanism - Transfer control and data on single computer • Goal: Make distributed programming look same - Code libraries provide APIs to access functionality - Have servers export interfaces accessible through local APIs • Implement RPC through request-response protocol - Procedure call generates network request to server - Server return generates response Interface Definition Languages • Idea: Specify RPC call and return types in IDL • Compile interface description with IDL compiler. Output: - Native language types (e.g., C/Java/C++ structs/classes) - Code to marshal (serialize) native types into byte streams - Stub routines on client to forward requests to server • Stub routines handle communication details - Helps maintain RPC transparency, but - Still had to bind client to a particular server - Still need to worry about failures Intro to SUN RPC • Simple, no-frills, widely-used RPC standard - Does not emulate pointer passing or distributed objects - Programs and procedures simply referenced by numbers - Client must know server—no automatic location - Portmap service maps program #s to TCP/UDP port #s • IDL: XDR – eXternal Data Representation - Compilers for multiple languages (C, java, C++) Sun XDR • “External Data Representation” - Describes argument and result types: struct message { int opcode; opaque cookie[8]; string name<255>; }; - Types can be passed across the network • Libasync rpcc compiles to C++ - Converts messages to native data structures - Generates marshaling routines (struct $ byte stream) - Generates info for stub routines Basic data types • int var – 32-bit signed integer - wire rep: big endian (0x11223344 ! 0x11, 0x22, 0x33, 0x44) - rpcc rep: int32 t var • hyper var – 64-bit signed integer - wire rep: big endian - rpcc rep: int64 t var • unsigned int var, unsigned hyper var - wire rep: same as signed - rpcc rep: u int32 t var, u int64 t var More basic types • void – No data - wire rep: 0 bytes of data • enum {name = constant,.
    [Show full text]
  • Session Types = Intersection Types + Union Types
    Session Types = Intersection Types + Union Types Luca Padovani Dipartimento di Informatica, Universita` di Torino Corso Svizzera 185, Torino, Italy [email protected] We propose a semantically grounded theory of session types which relies on intersection and union types. We argue that intersection and union types are natural candidates for modeling branching points in session types and we show that the resulting theory overcomes some important defects of related behavioral theories. In particular, intersections and unions provide a native solution to the problem of computing joins and meets of session types. Also, the subtyping relation turns out to be a pre-congruence, while this is not always the case in related behavioral theories. 1 Introduction Session types [10, 11, 12] are protocol descriptions that constrain the use of communication channels in distributed systems. In these systems, processes engage into a conversation by first establishing a session on some private channel and then carrying on the conversation within the protected scope of the session. The session type prescribes, for each process involved in the session, the sequence and the type of messages the process is allowed to send or expected to receive at each given time. For example, the session type a:a:b associated with some channel c states that a process can use c for sending two a messages and then waiting for a b message, in this order. Names a and b may stand for either message types, labels, method names and so forth, depending on the process language one is considering. In most session type theories it is possible to specify protocols with branching points indicating alternative behaviors: for example, the session type a:T b:S usually means that a process chooses to send either an a message or a b message and then behaves@ according to T or S depending on the message that it has sent; dually, the session type a:T b:S usually means that a process waits for either an a message or a b message, and then behaves according@ to the respective continuation.
    [Show full text]
  • The Grace Programming Language Draft Specification Version 0.5. 2025" (2015)
    Portland State University PDXScholar Computer Science Faculty Publications and Presentations Computer Science 2015 The Grace Programming Language Draft Specification ersionV 0.5. 2025 Andrew P. Black Portland State University, [email protected] Kim B. Bruce James Noble Follow this and additional works at: https://pdxscholar.library.pdx.edu/compsci_fac Part of the Programming Languages and Compilers Commons Let us know how access to this document benefits ou.y Citation Details Black, Andrew P.; Bruce, Kim B.; and Noble, James, "The Grace Programming Language Draft Specification Version 0.5. 2025" (2015). Computer Science Faculty Publications and Presentations. 140. https://pdxscholar.library.pdx.edu/compsci_fac/140 This Working Paper is brought to you for free and open access. It has been accepted for inclusion in Computer Science Faculty Publications and Presentations by an authorized administrator of PDXScholar. Please contact us if we can make this document more accessible: [email protected]. The Grace Programming Language Draft Specification Version 0.5.2025 Andrew P. Black Kim B. Bruce James Noble April 2, 2015 1 Introduction This is a specification of the Grace Programming Language. This specifica- tion is notably incomplete, and everything is subject to change. In particular, this version does not address: • James IWE MUST COMMIT TO CLASS SYNTAX!J • the library, especially collections and collection literals • static type system (although we’ve made a start) • module system James Ishould write up from DYLA paperJ • dialects • the abstract top-level method, as a marker for abstract methods, • identifier resolution rule. • metadata (Java’s @annotations, C] attributes, final, abstract etc) James Ishould add this tooJ Kim INeed to add syntax, but not necessarily details of which attributes are in language (yet)J • immutable data and pure methods.
    [Show full text]
  • Union Types for Semistructured Data
    University of Pennsylvania ScholarlyCommons Technical Reports (CIS) Department of Computer & Information Science April 1999 Union Types for Semistructured Data Peter Buneman University of Pennsylvania Benjamin C. Pierce University of Pennsylvania, [email protected] Follow this and additional works at: https://repository.upenn.edu/cis_reports Recommended Citation Peter Buneman and Benjamin C. Pierce, "Union Types for Semistructured Data", . April 1999. University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-CIS-99-09. This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_reports/173 For more information, please contact [email protected]. Union Types for Semistructured Data Abstract Semistructured databases are treated as dynamically typed: they come equipped with no independent schema or type system to constrain the data. Query languages that are designed for semistructured data, even when used with structured data, typically ignore any type information that may be present. The consequences of this are what one would expect from using a dynamic type system with complex data: fewer guarantees on the correctness of applications. For example, a query that would cause a type error in a statically typed query language will return the empty set when applied to a semistructured representation of the same data. Much semistructured data originates in structured data. A semistructured representation is useful when one wants to add data that does not conform to the original type or when one wants to combine sources of different types. However, the deviations from the prescribed types are often minor, and we believe that a better strategy than throwing away all type information is to preserve as much of it as possible.
    [Show full text]
  • State of the Union: Type Inference Via Craig Interpolation
    State of the Union: Type Inference Via Craig Interpolation Ranjit Jhala1, Rupak Majumdar2,andRu-GangXu2 1 UC San Diego 2 UC Los Angeles Abstract. The ad-hoc use of unions to encode disjoint sum types in C programs and the inability of C’s type system to check the safe use of these unions is a long standing source of subtle bugs. We present a dependent type system that rigorously captures the ad-hoc protocols that programmers use to encode disjoint sums, and introduce a novel technique for automatically inferring, via Craig Interpolation, those de- pendent types and thus those protocols. In addition to checking the safe use of unions, the dependent type information inferred by interpolation gives programmers looking to modify or extend legacy code a precise un- derstanding of the conditions under which some fields may safely be ac- cessed. We present an empirical evaluation of our technique on 350KLOC of open source C code. In 80 out of 90 predicated edges (corresponding to 1472 out of 1684 union accesses), our type system is able to infer the correct dependent types. This demonstrates that our type system captures and explicates programmers’ informal reasoning about unions, without requiring manual annotation or rewriting. 1 Introduction We present a type system and inference algorithm for statically checking the safety of downcasts in imperative programs. Our type system is motivated by the problem of checking the safety of union accesses in C programs. C pro- grammers extensively use unions to encode disjoint sum types in an ad-hoc manner. The programmer uses the value of a tag field to determine which ele- ment of the union an instance actually corresponds to.
    [Show full text]
  • High Level Memory Model with Low Level Pointer Cast Support For
    ISSN 03617688, Programming and Computer Software, 2015, Vol. 41, No. 4, pp. 197–208. © Pleiades Publishing, Ltd., 2015. Original Russian Text © M.U. Mandrykin, A.V. Khoroshilov, 2015, published in Programmirovanie, 2015, Vol. 41, No. 4. HighLevel Memory Model with LowLevel Pointer Cast Support for Jessie Intermediate Language1 M. U. Mandrykin* and A. V. Khoroshilov** The Institute for System Programming of the RAS, ul. A. Solzhenitsyna 25, Moscow, 109004 Russia email: *[email protected], **[email protected] @ Abstract—The paper presents a target analyzable language used for verification of realworld production GNU C programs (Linux kernel modules). The language represents an extension of the existing intermediate language used by the Jessie plugin for the F@ramaC static analysis framework. Compared to the original Jessie, the extension is fully compatible with the C semantics of arrays, initially supports discriminated unions and prefix (hierarchical) structure pointer casts and provides a limited, but reasonable support for lowlevel pointer casts (reinterpretations of the underlying bytes of memory). The paper describes the approaches to translation of the original C code into the analyzable intermediate language and of the intermediate language into Why3ML i.e. the input language of the Why3 deductive verification platform. DOI: 10.1134/S0361768815040040 1 INTRODUCTION violations and buffer overruns). Third, C is a lowlevel language with generally untyped semantics, which can There are many tools and techniques for static ver substantially influence the choice of an appropriate ification of C source code. Among them are deduction techniques, that are based on translation of the origi memory model. nal C source code supplied with specifications of the Let’s assume the VC for the assertion check at line properties being verified into a set of logical formulas 10 (a[n] = 1) is required.
    [Show full text]