Dependent Types for JavaScript Ravi Chugh Ranjit Jhala University of California, San Diego David...

DependentTypes for JavaScript

Ravi Chugh Ranjit JhalaUniversity of California, San Diego

David HermanMozilla Research

Pervasive

Used at Massive Scale

Why Add Types?

var x = {};

x.f.f;

produces undefined rather than error…

… but this raises TypeError

Why Add Types?

There Are Run-time Errorsreading from undefined, applying non-function values, …

Worse: Browsers Hide Them!

var x = {};

x.f.f;

Why Add Types?

Prevent Errors

Prevent the Unexpected

Okay, But Who Cares?

ProgrammersJSLint, Closure Compiler, TypeScript, Dart

Browser VendorsCompete based on performance, security, reliability

Standards CommitteesActively evolving JavaScript and Web standards

Isn’t the Language Terrible?

JavaScript

implicit global object

scope manipulation

var lifting

‘,,,’ == new Array(4)

JavaScript

scope manipulation

var lifting

‘,,,’ == new Array(4)

objects prototypes

lambdastype-tests

JavaScript

“The Good Parts”

scope manipulation

var lifting

‘,,,’ == new Array(4)

objects prototypes

lambdastype-tests

JavaScript

PriorType

Systems

Key Idea:Use Logic!

Our Approach

JavaScript

Dependent JavaScriptDJS

Outline

Motivation

Our Approach: Logic!

Evaluation

typeof true // “boolean”

typeof 0.1 // “number”typeof 0 // “number”

typeof {} // “object”typeof [] // “object”typeof null // “object”

typeof returns run-time “tags”

Tags are very coarse-grained types

“undefined”

“boolean”

“string”

“number”

“object”

“function”

Refinement Types{x|p}

“set of values x s.t. formula p is true”

{n|tag(n) = “number” }Num

{v|tag(v) = “number” ∨ tag(v) = “boolean” }NumOrBool

{i|tag(i) = “number” integer(i) }Int

{x|true }Any

{n|tag(n) = “number” }Num

{v|tag(v) = “number” ∨ tag(v) = “boolean” }NumOrBool

{i|tag(i) = “number” integer(i) }Int

{x|true }Any

Refinement Types

Syntactic Sugarfor Common Types

Refinement Types

3 :: {n|n = 3}

{n|n > 0} 3 ::{n|tag(n) = “number” integer(n)} 3 ::{n|tag(n) = “number”} 3 ::

Refinement Types

{n|n = 3}

{n|n > 0} {n|tag(n) = “number” integer(n)} {n|tag(n) = “number” }

<:<:<:<:

Subtyping is Implication

Refinement Types

{n|n = 3}

{n|n > 0} {n|tag(n) = “number” integer(n)} {n|tag(n) = “number” }

Subtyping is Implication

ArraysPrototypesMutable ObjectsDuck TypingTag-Tests

Tag-Tests ArraysPrototypesMutable ObjectsDuck Typing

var negate = function(x) {

if (typeof x == “boolean”)

return !x;

return 0 - x;

negate( )

// false

return !x;

return 0 - x;

negate( )

0 - 2 // -2

return !x;

return 0 - x;

negate( )

0 - [] // 0WAT?!

return !x;

return 0 - x;

} Use types to prevent implicit coercion

(-) :: (Num,Num) Num

return !x;

return 0 - x;

Function type annotation inside

comments

//: negate :: (x:Any) Any

return !x;

return 0 - x;

so negationis well-typed

x is boolean...

DJS is Path Sensitive

return !x;

return 0 - x;

x is arbitrarynon-boolean value…so DJS signals error!

DJS is Path Sensitive

return !x;

return 0 - x;

//: negate :: (x:NumOrBool) Any

return !x;

return 0 - x;

//: negate :: (x:NumOrBool) Any

this time,x is a number…✓so subtractionis well-typed

return !x;

return 0 - x;

//: negate :: (x:NumOrBool) Any✓

but returntype is imprecise

//: negate :: (x:NumOrBool) NumOrBool

return !x;

return 0 - x;

/*: negate :: (x:NumOrBool) {v|tag(v) = tag(x)} */

return !x;

return 0 - x;

output type depends on input value

/*: negate :: (x:NumOrBool) {v|tag(v) = tag(x)} */

Programmer choosesdegree of precision

in specification

Duck Typing ArraysPrototypesMutable ObjectsTag-Tests

if (duck.quack)

return “Duck says ” + duck.quack();

return “This duck can’t quack!”;

What is “Duck Typing”?

if (duck.quack)

(+) :: (Num,Num) Num

(+) :: (Str,Str) Str

if (duck.quack)

Can dynamically testthe presence of a method

but not its type

if (duck.quack)

{d|tag(d) = “Dict”∧

{v|has(d,“quack”)

{v| sel(d,“quack”) :: UnitStr }

Operators from McCarthy theory of arrays

if (duck.quack)

{v| sel(d,“quack”) :: Unit Str }

Call produces Str, so concat well-typed

Mutable Objects ArraysPrototypesTag-Tests Duck Typing

var x = {};

x.f = 7;

x.f + 2;

x0:Empty

x1:{d|d = upd(x0,“f”,7)}

DJS is Flow Sensitive

McCarthy operatorDJS verifies that x.f is definitely a number

Mutable Objects ArraysPrototypesTag-Tests Duck Typing

var x = {};

x.f = 7;

x.f + 2;

x0:Empty

x1:{d|d = upd(x0,“f”,7)}

DJS is Flow Sensitive

Strong updates to singleton objects

Weak updates to collections of objects

ArraysPrototypesTag-Tests Duck Typing Mutable Objects

Typical“Dynamic”Features

ArraysPrototypesTag-Tests Duck Typing Mutable Objects

Typical“Dynamic”Features

JavaScript

Harder, butDJS handles them

Prototypes ArraysTag-Tests Mutable ObjectsDuck Typing

parent

grandpa

Upon construction, each object links to a

prototype object

If child contains k, then Read k from child

Else if parent contains k, then Read k from parent

Else if grandpa contains k, then Read k from grandpa

Else if …

Else Return undefined

parent

grandpa

var k = “first”; child[k];Semantics of Key Lookup

parent

grandpa

H(Rest of Heap)

Else if …

{v|if has(child,k) then

{v|ifv=sel(child,k)

parent

grandpa

H(Rest of Heap)

Else if …

{v|ifv=sel(child,k)

{v|else if has(parent,k) then

{v|ifv=sel(parent,k)

Else if …

{v|ifv=sel(child,k)

parent

grandpa ???

H(Rest of Heap)

{v|ifv=sel(child,k)

{v|else

{v|ifv=HeapSel(H,grandpa,k)) }

parent

grandpa ???

H(Rest of Heap)

Abstract predicateto summarize theunknown portion

of the prototype chain

{v|ifv=sel(child,k)

{v|else

{ “first” : “John” }child

parent{ “first” : “Ida”, “last” : “McCarthy” }

grandpa ???

H(Rest of Heap)

{v|v=“John”}

var k = “first”; child[k];

{v|ifv=sel(child,k)

{v|else

{ “first” : “John” }child

parent{ “first” : “Ida”, “last” : “McCarthy” }

grandpa ???

H(Rest of Heap)

var k = “last”; child[k];

{v|v=“McCarthy”}

Key Idea:

Reduce prototypesemantics to decidable

theory of arrays

Prototype Chain Unrolling

ArraysTag-Tests PrototypesMutable ObjectsDuck Typing

var nums = [0,1,2]while (…) { nums[nums.length] = 17}

A finite tuple…

… extended to unbounded collection

var nums = [0,1,2]while (…) { nums[nums.length] = 17}

delete nums[1]

for (i = 0; i < nums.length; i++) sum += nums[i]

A “hole” in the array

Missing element within “length”

Track types, “packedness,” and lengthof arrays where possible

{a |a :: Arr(T)

{a | packed(a)

{a | len(a) = 10}

X T T T T… X ……

T? T? T? T? T?… T? ……

T? { x | T(x) x = undefined }

-1 0 1 2 len(a)

X { x | x = undefined }

{a |a :: Arr(Any)

{a | packed(a) len(a) = 2

{a | Int(sel(a,0))

{a | Str(sel(a,1))}

Encode tuples as arrays

var tup = [17, “cacti”]

tup[tup.length] = true

{a |a :: Arr(Any)

{a | packed(a) len(a) = 3

{a | …}

DJS handles other quirks:

Special length property

Array.prototypeNon-integer keys

Tag-Tests PrototypesMutable ObjectsDuck Typing Arrays

What About eval?

Arbitrary code loading

eval(“…”);

Old Types

What About eval?…

eval(“…”);

//: #assume

Old Types

New TypesNew Types

“Contract Checking” at Run-timeaka “Gradual Typing”

Recap of DJS Techniques

Logic!

Path and Flow Sensitivity

Prototype Unrolling

Syntactic Sugar

Outline

Motivation

Our Approach: Logic!

Evaluation

objects prototypes

lambdastype-tests

arrays

13 Benchmarks

objects prototypes

lambdastype-tests

arrays

13 Benchmarks

objects prototypes

lambdastype-tests

arrays

13 Benchmarks

Four inheritance patterns fromCrockford’s JS: The Good Parts

objects prototypes

lambdastype-tests

arrays

13 Benchmarks

Array-manipulating examplesfrom SunSpider

objects prototypes

lambdastype-tests

arrays

13 Benchmarks

typeOf() function to replace typeoffrom Closure Compiler

objects prototypes

lambdastype-tests

arrays

13 Benchmarks

Well-typed programsdon’t have run-time errors

DesugaredProgram

DJSProgram

DesugarerBased on Guha et al.

[ECOOP 2010]

Implementation

JavaScript λ-Calculus + References + Prototypes

DesugaredProgram

Z3 SMTSolver

TypeChecker

DJSProgram

DesugarerBased on Guha et al.

[ECOOP 2010]

ImplementationProgrammer Chooses

Warnings or Errors

Local Type Inference

Subtyping w/o Z3 If Possible

Annotation Burden

+= ~300 LOC to start+= ~100 LOC annotations

=+ ~400 LOC total

(Improved since paper)

33% Annotation Overhead

Common Cases Simplified viaSyntactic Sugar and Local Type Inference

Performance(Improved since paper)

Total benchmark suite:

~10 seconds~1100 Z3 queries

11/13 benchmarks in 0-1 s

Common Cases Fast viaSyntactic Reasoning When Possible

Future Work

Syntax, Inference, Performance

Larger Examples

Type Checker in JS; Run in Browser

IDE Support for Refactoring, etc.

JavaScript

Types via Logic!DJS

Thanks!

ravichugh.com/djs

D::PS: I’m on the Job Market

Extra Slides

refinement types

dependent types

Expressivity

“Usability”

+ nested refinements

System D[POPL ’12]

DependentJavaScript

[this paper]

syntactic types

occurrence types

∨, ∧

System D [POPL 2012]+ Types for JS Primitives+ Strong Updates+ Quirky JS Arrays+ Prototype Inheritance

Dependent JavaScript (DJS)

/*: x:NumOrBool {ite Num(x) Num(v) Bool(v)} */

function negate(x) { x = (typeof x == “number”) ? 0 – x : !x return x}

/*: x:Any {v iff falsy(x)} */

function negate(x) { x = (typeof x == “number”) ? 0 – x : !x return x}

Function Types and Objects{p} {v|p}

ObjHas(d,k,H,d’) has(d,k) HeapHas(H,d’,k)

/*: x:Ref / [x |-> d:Dict |> x.pro] {v iff ObjHas(d,”f”,curHeap,x.pro)} / sameHeap */

function hasF(x) { return “f” in x}

x:T1/H1 T2/H2

Function Types and Objects

output typeinput heap

input type output heap

ObjSel(d,k,H,d’) ite has(d,k) sel(d,k) HeapSel(H,d’,k)

x:T1/H1 T2/H2

Function Types and Objects

output typeinput heap

input type output heap

/*: x:Ref / [x |-> d:Dict |> x.pro] {v = ObjSel(d,”f”,curHeap,x.pro)} / sameHeap */

function readF(x) { return x.f}

return !x;

return 0 - x;

negate( )

0 - “2”// -2

“2”

Whoa, but perhaps okay…

return !x;

return 0 - x;

negate( )

0 - undefined// NaN

undefinedError would be nicer,

but okay…

return !x;

return 0 - x;

negate( )

0 - {}// NaN

Seems about right…

return !x;

return 0 - x;

negate( )

0 - [] // 0

negate has good intentionsBut too many corner cases in JS semantics!

if (duck.quack)

{v| sel(d,“quack”) :: Unit Str }

Function types nested inside refinements

[POPL 2012]

ArraysPrototypesTag-Tests Duck Typing

var x = {};

x.f.f; Programmer configures DJS to report either

warnings or errors for:

1) Possible unbound keys

Mutable Objects

ArraysPrototypesTag-Tests Duck Typing

var x = {};

x.f.f; Programmer configures DJS to report either

warnings or errors for:

1) Possible unbound keys

2) Possible run-time errors

Mutable Objects

Dependent Types for JavaScript Ravi Chugh Ranjit Jhala University of California, San Diego David...

Documents

Transcript of Dependent Types for JavaScript Ravi Chugh Ranjit Jhala University of California, San Diego David...

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

Towards Dependent Types for JavaScript Ravi Chugh, David Herman, Ranjit Jhala University of California, San Diego Mozilla Research.

Prolog CSE 130 : Spring 2010 16: Ranjit Jhala UC San Diego

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Nested Refinements: A Logic for Duck Typing Ravi Chugh, Pat Rondon, Ranjit Jhala (UCSD) ::

Refinement Types for TypeScriptgoto.ucsd.edu/~pvekris/docs/RefScript-pldi16-talk.pdf · Refinement Types for TypeScript Panagiotis Vekris Benjamin Cosman Ranjit Jhala University of

Deep Typechecking and Refactoring Zachary Tatlock, Chris Tucker, David Shuffleton, Ranjit Jhala, Sorin Lerner 1 University of California, San Diego.

CSE 130 [Spring 2014] Programming Languages · CSE 130 [Spring 2014] Programming Languages Ravi Chugh! Course Introduction! Apr 01 Filling in today for Ranjit Jhala

CSE 130 : Winter 2006 Programming Languages Ranjit Jhala UC San Diego Lecture: Datatypes and Recursion.

Software Verification : Introduction › ~rjhala › classes › sp13 › cse291 › ...Software Veri cation : Introduction Ranjit Jhala, UC San Diego April 4, 2013

Lazy Abstraction Lecture 2: Modular Analyses Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.

Refinement Types for TypeScript - Ranjit Jhala · Ruby – have popularized the use of higher-order constructs ... • We develop a core calculus that permits locally ﬂow- ... We

CSE 130: Fall 2010 Deconstructing ML Ranjit Jhala UC … · Deconstructing ML Ranjit Jhala UC San Diego Ol D econs t ruc ti ng O cam l ... Java/Python/C/C++ In ... Data model in Prolog

Welcome to PLDI 2009 General chair: Michael Hind Program chair: Amer Diwan Tutorial chair: Kim Hazelwood Workshops chair: Ranjit Jhala FIT chair: Rodric.

Abstract Refinement Types Niki Vazou 1, Patrick M. Rondon 2, and Ranjit Jhala 1 1 UC San Diego 2 Google 1.

Using Types For Software Verification Ranjit Jhala, UC San Diego (with Pat Rondon, Ming Kawaguchi)

CSE 130 : Fall 2009 1: Hello, world. Ranjit Jhala UC San …cseweb.ucsd.edu/classes/fa09/cse130/lectures/lec1-ink.pdfQuake: QuakeC (Game Scripting) Facebook: FBML, FBJS SQL, Renderman,

Finding and Preventing Bugs in JavaScript BindingsFinding and Preventing Bugs in JavaScript Bindings Fraser Brown⋆ Shravan Narayan† Riad S. Wahby⋆ Dawson Engler⋆ Ranjit Jhala†

Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.

Http:// Patrick M. Rondon, Ming Kawaguchi, Ranjit Jhala University of California, San Diego.