View
23
Download
0
Category
Preview:
Citation preview
Refinement Typesfor
TypeScript
Panagiotis Vekris Benjamin Cosman Ranjit Jhala
University of California, San Diego
PLDI’16Thursday, June 16
2
Extensible static analyses for modern scripting languages
3
Extensible static analyses for modern scripting languages
Wide scale
Looks like
Compiles to
3
Extensible static analyses for modern scripting languages
Higher Order Functions
Wide scale PL Interest
Object Oriented
Looks like
Compiles to
Generics
Optionally Typed
4
Extensible static analyses for modern scripting languages
Verification Documentation
TSNo runtime overhead
5
Extensible static analyses for modern scripting languages
Fixed type tests
5
Extensible static analyses for modern scripting languages
User specified invariants
Fixed type tests
5
Extensible static analyses for modern scripting languages
User specified invariants
Fixed type tests
5
Extensible static analyses for modern scripting languages
User specified invariants
Fixed type tests
5
Extensible static analyses for modern scripting languages
User specified invariants
Fixed type tests
Example
Compute the index of the minimum element of an array
6
7
folds over the elements of an array
7
8
Calls with an appropriate function and initialization
8
Verification goal
Prove that all array accesses are within bounds
Example
Compute the index of the minimum element of an array
9
Array bounds analysis:
10
Array bounds analysis:
Constraint between two values
11
Constraint between two values
12
Array bounds analysis:
Constraint between two values
12
Array bounds analysis:
Constraint between value and closure
Constraint between value and closure
13
Constraint carries over through call to
function parameters
Constraint between value and closure
13
Constraint checkedon invocation
Constraint carries over through call to
function parameters
14
Constraint checkedon invocation
Constraint carries over through call to
function parameters
14
Problem
To check array access we must track relations between closures and values
14
Problem
To check array access we must track relations between closures and values
SolutionRefinement types
Refinement Types
Value variable
Base type
Logical predicate
15
Refinement Types
“Set of values of type such that formula is true”
Value variable
Base type
Logical predicate
15
Refinement Types
“Set of values of type such that formula is true”
Value variable
Base type
Logical predicate
E.g.:
“Set of valid indexes for an array ”
15
How can we type ?
16
TypeScript type
How can we type ?
16
TypeScript type
How can we type ?
Acc
Basic typing offers some guarantees
16
Accepts Acc
TypeScript type
How can we type ?
Acc
Basic typing offers some guarantees
16
Returns AccAccepts Acc
TypeScript type
How can we type ?
Acc
Basic typing offers some guarantees
16
TypeScript type
How can we type ?
Does not capture: “valid index of ”
Basic typing offers some guaranteesbut not value related ones
17
TypeScript type
How can we type to account for valid indexes?
Refinement type
18
TypeScript type
How can we type to account for valid indexes?
Refinement type
18
TypeScript type
How can we type to account for valid indexes?
Refinement type
19
Captures the relation between closure and value
Our contributionDesign a refinement type system for TypeScript
20
Challenges
Assignments
Mutability
Overloading
Annotation Overhead
21
Challenges Solutions we used
AssignmentsSSA Transformation
MutabilityExtend type system with immutability guarantees
OverloadingTwo-phased typing
Annotation Overhead Liquid Types
22
Challenges Solutions we used
AssignmentsSSA Transformation
MutabilityExtend type system with immutability guarantees
OverloadingTwo-phased typing
Annotation Overhead Liquid Types
23
24
Assignments
25
-
-
+
+
+
+
+
25
25
What is the type of ?
Types for
What is the type of ?
26
Types for
What is the type of ?
27
Types for
What is the type of ?
28
Types for
What is the type of ?
29
Types for
Νo single type for
30
Joining types of causes loss of precision
Νο single type for
31
Joining types of causes loss of precision
Use different versions of
Νο single type for
31
Use different versions of
32
Types for
Use different versions of
33
Use different versions of
Types for -
34
Types for -
35
Each version of has a single precise type & gets assigned once
Types for -
35
Static Single Assignment (SSA)
Types for -
35
Static Single Assignment (SSA)
How do we check these types?
generates subtyping constraint
Assignment
36
Reminder
Subtyping Constraints
Generated constraints
37
Subtyping Constraints
: loop induction variable
φ( )
Generated constraints
38
Subtyping Constraints
: loop induction variable
φ( )
Generated constraints
38
Subtyping Constraints
: loop induction variable
φ( )
Generated constraints
39
⊢
Subtyping Constraints
: loop induction variable
φ( )
Generated constraints
Loop condition
Path Sensitivity
39
⊢
Subtyping Constraints
Generated constraints
Loop condition
40
⊢
⊢
Subtyping Constraints
Generated constraints
Safe Array Access
Loop condition
41
⊢
⊢
⊢
Subtyping Constraints
Generated constraints
Loop condition
Substitute
42
⊢
⊢
⊢
Subtyping Constraints
⊢
⊢
⊢
After substitution
43
Subtyping Constraints
⊢
⊢
⊢
Convert to logical implications
⇒⇒⇒⇒⇒
⇒⇒⇒
44
Subtyping Constraints
⊢
⊢
⊢
Convert to logical implications
Solved via SMT
⇒⇒⇒⇒⇒
⇒⇒⇒
44
Challenges Solutions we used
AssignmentsSSA Transformation
MutabilityExtend type system with immutability guarantees
OverloadingTwo-phased typing
Annotation Overhead Liquid Types
45
Mutability
46
Why is the access safe?
47
Why is the access safe?
is initialized to
47
1
Why is the access safe?
is initialized to
is bounded by ’s length
47
1 2
Why is the access safe?
is initialized to
is bounded by ’s length
increases only
47
1 2 3
Why is the access safe?
is initialized to
is bounded by ’s length
increases only
4. Length of does not mutate in loop47
1 2
4
3
48
What if array’s length mutates in loop?
Silentlyupdates
48
What if array’s length mutates in loop?
Silentlyupdates
Check becomes stale
48
What if array’s length mutates in loop?
Silentlyupdates
Check becomes stale
Unsafe access!
48
What if array’s length mutates in loop?
Problem: stale checks break value reasoning
Silentlyupdates
49
Check becomes stale
Unsafe access!
Extend type system to enforce immutability constraints
50
M. Tschantz and M. D. Ernst. Javari: Adding reference immutability to Java.OOPSLA, 2005.
Y. Zibin, A. Potanin, M. Ali, S. Artzi, A. Kiezun, and M. D. Ernst. Object and Reference Immutability using Java Generics. ESEC/FSE, 2007.
Y. Zibin, A. Potanin, P. Li, M. Ali, and M. D. Ernst. Ownership and Immutability in Generic Java. OOPSLA, 2010.
C. S. Gordon, M. J. Parkinson, J. Parsons, A. Bromfield, and J. Duffy. Uniqueness & Reference Immutability for Safe Parallelism. OOPSLA, 2012.
C. S. Gordon, M. D. Ernst, and D. Grossman. Rely-Guarantee References for Refinement Types over Aliased Mutable Data. PLDI, 2013.
F. Militão, J. Aldrich, and L. Caires. Rely-Guarantee Protocols. ECOOP, 2014.
Literature in Object & Reference Immutability
51
M. Tschantz and M. D. Ernst. Javari: Adding reference immutability to Java.OOPSLA, 2005.
Y. Zibin, A. Potanin, M. Ali, S. Artzi, A. Kiezun, and M. D. Ernst. Object and Reference Immutability using Java Generics. ESEC/FSE, 2007.
Literature in Object & Reference Immutability
Simple extension to type system
Encoded in base types – refinements leverage immutability guarantees
52
Immutability Generic Java [Zibin’07]
Mutability astype parameter
53
Immutability Generic Java [Zibin’07]
Mutability astype parameter
This can mutate? Others can mutate?
53
Immutability Generic Java [Zibin’07]
Mutability astype parameter
Only immutable portions in refinement
This can mutate? Others can mutate?
53
Immutability Generic Java [Zibin’07]
54
Immutability Generic Java [Zibin’07]
Call to is flagged as an error,because may only be
applied to receivers
54
Challenges Solutions we used
AssignmentsSSA Transformation
MutabilityExtend type system with immutability guarantees
OverloadingTwo-phased typing
Annotation Overhead Liquid Types
55
Overloading
Value Based
56
Value Based Overloading
Function reflects upon and behaves according to types of its arguments
57
Value Based Overloading
Function reflects upon and behaves according to types of its arguments
#args Signature
2
3
57
Value Based Overloading
Function reflects upon and behaves according to types of its arguments
#args Signature
2
3
1st behavior – 3 args:is of type
57
Value Based Overloading
Function reflects upon and behaves according to types of its arguments
#args Signature
2
3
2nd behavior – 2 args:is of type
57
Q1: What makes it challenging?
Q2: How pervasive is it?
Value Based Overloading
Function reflects upon and behaves according to types of its arguments
58
Type Analysis(base types)
Value Analysis(refinements)
59
Q1: What makes it challenging?
Type Analysis(base types)
Value Analysis(refinements)
Refinements use invariants established by base typesE.g. tracking the access requires to be array
59
Q1: What makes it challenging?
Type Analysis(base types)
Value Analysis(refinements)
Refinements use invariants established by base typesE.g. tracking the access requires to be array
Type reasoning requires tracking logical relationshipsE.g. base type of depends on the value of
59
Q1: What makes it challenging?
Type Analysis(base types)
Value Analysis(refinements)
Refinements use invariants established by base typesE.g. tracking the access requires to be array
Type reasoning requires tracking logical relationshipsE.g. base type of depends on the value of
Circular dependency complicates formal reasoning & implementation
59
Q1: What makes it challenging?
Q2: How pervasive is it?
60
Study set:
DefinitelyTyped: The repository for high quality TypeScript type definitions
Q2: How pervasive is it?
60
Study set:
DefinitelyTyped: The repository for high quality TypeScript type definitions
How do we check overloaded functions?
61
Two-Phased Typing [ECOOP’15]
How do we check overloaded functions?
61
Two-Phased Typing [ECOOP’15]
How do we check overloaded functions?
Phase 1a. Make clones of body for each overload
61
Two-Phased Typing [ECOOP’15]
How do we check overloaded functions?
Phase 1a. Make clones of body for each overload
61
Two-Phased Typing [ECOOP’15]
How do we check overloaded functions?
Phase 1b. Check body under clone signature
62
Two-Phased Typing [ECOOP’15]
How do we check overloaded functions?
Phase 1b. Check body under clone signature
Error: expecting type , passed of type
62
Two-Phased Typing [ECOOP’15]
Value- and path-insensitive type-checking
How do we check overloaded functions?
Replace errors with , trusting they are indeed dead-code
63
Two-Phased Typing [ECOOP’15]
Phase 1b. Check body under clone signature
How do we check overloaded functions?
Phase 2. Refinement Type Checking
Prove dead-code with flow- and path-sensitive analysis
64
Two-Phased Typing [ECOOP’15]
How do we check overloaded functions?
Phase 2. Refinement Type Checking
Prove dead-code with flow- and path-sensitive analysis
Signature implies:
Condition makes branch’s environment inconsistent
64
Two-Phased Typing [ECOOP’15]
How do we check overloaded functions?
Phase 2. Refinement Type Checking
Prove dead-code with flow- and path-sensitive analysis
Signature implies:
Condition makes branch’s environment inconsistent
64
Two-Phased Typing [ECOOP’15]
Also in the paper…
Scaling to TypeScript
• Type featuresObject literal typesInterface typesPrimitive typesUnsound featuresUndefined & null typesCo- & Contra-variant subtypingUnchecked overloads
type
65
• Array support
• Flexible object initializationInternal: ConstructorsExternal: Unique references
Also in the paper…
Scaling to TypeScript
• Type featuresObject literal typesInterface typesPrimitive typesUnsound featuresUndefined & null typesCo- & Contra-variant subtypingUnchecked overloads
type
65
Formal Results
Refinement type safety for core language
• Array support
• Flexible object initializationInternal: ConstructorsExternal: Unique references
Experimental Evaluation
66
Benchmark suite
67
File LOC
366
206
304
576
588
189
293
Total 2522
Benchmark suite
Octane- NavierStokes: 2D fluid motion simulator- Splay: splay tree implementation- Richards: OS kernel simulator- Raytrace: ray trace renderer
68
File LOC
366
206
304
576
588
189
293
Total 2522
Benchmark suite
TransducersComposable algorithmic transformations
69
File LOC
366
206
304
576
588
189
293
Total 2522
Octane- NavierStokes: 2D fluid motion simulator- Splay: splay tree implementation- Richards: OS kernel simulator- Raytrace: ray trace renderer
Benchmark suite
D3: A JavaScript visualization library- Array operations
TransducersComposable algorithmic transformations
70
File LOC
366
206
304
576
588
189
293
Total 2522
Octane- NavierStokes: 2D fluid motion simulator- Splay: splay tree implementation- Richards: OS kernel simulator- Raytrace: ray trace renderer
Microsoft’s TypeScript compiler- Parts of and
Benchmark suite
71
File LOC
366
206
304
576
588
189
293
Total 2522
D3: A JavaScript visualization library- Array operations
TransducersComposable algorithmic transformations
Octane- NavierStokes: 2D fluid motion simulator- Splay: splay tree implementation- Richards: OS kernel simulator- Raytrace: ray trace renderer
Annotation Overhead
63%
20%
17%
TypeScript signatures
Mutability related
Refinement types
*
* Programs need to be fully typed – no type in signatures
72
File LOCAnnots(% LOC)
366 24.6
206 9.7
304 27.3
576 14.6
588 27.6
189 26.5
293 23.4
Total 2522 21.4
Performance
File LOCAnnots(% LOC)
Time (sec)
366 24.6 473
206 9.7 6
304 27.3 7
576 14.6 15
588 27.6 12
189 26.5 37
293 23.4 62
Total 2522 21.4
73
Performance
File LOCAnnots(% LOC)
Time (sec)
366 24.6 473
206 9.7 6
304 27.3 7
576 14.6 15
588 27.6 12
189 26.5 37
293 23.4 62
Total 2522 21.4
73
More than 100 static array access sites with dynamically
computed indexes
Properties Tested
• Property accesses
• Array bounds checks
• Overloads
• Safe Downcasts
Class based Ad hoc type hierarchies
• User specified value properties. E.g. a function:
returns a positive number accepts non-empty arrays
74
Safe Downcasts
Ad hoc type hierarchies
Properties Tested
74
Safe Downcasts
Ad hoc type hierarchies
Example taken from:
75
TypeScript interfaces are plain JavaScript objectsno type information at runtime
75
TypeScript interfaces are plain JavaScript objectsno type information at runtime
Explicit field ( ) to encode type info needed for dynamic tests
76
77
Invariants
⇒
Invariants
78
⇒
⇒
Invariants
79
⇒
ProblemUnchecked invariants
⇒
80
⇒
ProblemUnchecked invariants
⇒
80
⇒
ProblemUnchecked invariants
⇒
80
⇒
⇒
81
No static ordynamic error
ProblemUnchecked invariants
82
SolutionEncode invariants in refinement types
No static ordynamic error
ProblemUnchecked invariants
Encode type information in logic
83
84
Type for accounts for possible sub-interfaces
85
Bitwise ANDThe containing
object
⇒
Type for accounts for possible sub-interfaces
86
⇒
Λ ⇒
Type for accounts for possible sub-interfaces
87
⇒
Λ ⇒
Λ ⇒
Λ
87
⇒
Λ ⇒
Λ ⇒
Λ
Check downcast
87
⇒
Λ ⇒
Λ ⇒
Λ
Check downcast
88
⇒
Λ ⇒
Λ ⇒
Λ
Invariant for
Check downcast
89
⇒
Λ ⇒
Λ ⇒
Λ
Invariant for Path condition:Λ
Check downcast
90
Invariant for Path condition:Λ ⇒
⇒
Λ ⇒
Λ ⇒
Λ
Check downcast
91
Invariant for Path condition:Λ ⇒
Encode type information in logic
⇒
Λ ⇒
Λ ⇒
Λ
Check downcast
91
Invariant for Path condition:Λ ⇒
Encode type information in logic
⇒
Λ ⇒
Λ ⇒
Λ
92
Extensible static analysis for a modern scripting language
Challenges Solutions
Assignments SSA Transformation
Mutability Extend type system with immutability guarantees
Overloading Two-phased typing
Annotation Overhead Liquid Types
Fixed type tests User specified invariants
TS
Source:
Demo: Thanks!
Refinement Types for TypeScript
Recommended