The document discusses the ATS programming language, which aims to unify implementation, formal specification, and proof in one language. It has dependent types, linear types, and is compiled to C, JavaScript, and Erlang. ATS can be used for safety critical software, resource management, and integrating with C. Examples are provided of using dependent types for specifications and verification via theorem proving. The last sections discuss using ATS for modeling concurrent systems and combining type checking with model checking for verification.

1. Zhiqiang Ren
Boston University

2. Research Outline
 Goal: Software Development with Verification
 Specification: What is correct anyway?
 Verification: Will the program behave correctly?
 Our Work: Put them together in one language.

3. What is ATS (statically)?
 http://www.ats-lang.org
 Statically typed programming language that unifies
implementation, formal specification, and proof.
 ML like syntax
 Dependent Types
 Linear Types
 Compiled to C, JavaScript, Erlang

4. What is ATS (dynamically)?
 As efficient as C/C++ (see The Computer Language
Benchmarks Game for concrete evidence).
 Supports a variety of programming paradigm
(Functional, Imperative, Concurrent, and Modular
programming).
 Feature-Rich practical PL: closure, pattern match,
unboxed data representation, polymorphism
(overloading, template).
 Optional Runtime and GC.

5. What is ATS good for?
 Building safety critical software without losing
efficiency.
 Direct manipulating native unboxed data representation.
 Tracking resources (e.g. memory) with linear types.
 Integrating with C seamlessly.
 Building program without runtime / gc (good for kernel
development)
 Enforcing correctness via theorem proving.

6. What has been built using ATS?
 ATS itself, and ATS website (JavaScript)
 Scientific Computing
 Linux Device Driver
 Kernel
 Terrier: OS in development for Panda and Beagle Boards.
 Model Checker for ATS (under construction)

7. Helloworld in ATS
$ vi helloworld.dats
#include “share/atspre_staload.hats”
val () = println! (“Hello, World!”)
implement main0 () = let
val x = 1 + 3
in
println! (“x = “, x)
end
$ patscc helloworld.dats –o helloworld
$ ./helloworld
Hello, World!
x = 4

8. ATS Compile Process
ATS source code
Dynamics
Business Logic Proof
Statics
Types integer boolean ……
ATS compiler
Type Check
C source code
Binary
Compile
GCC compiler Compile

9. Dependent Types (Singleton Type)
#include “share/atspre_staload.hats”
val x = 2 / (1 – 1) // type error
fun mydiv {x,y:int} (a: int x, b: int y): [z:int] int z =
if b != 0 then a / b
else $raise div_by_0_exception
val y = mydiv (2, 1 – 1) // no type error
fun foo {x,y:int} (a:int x, b: int y): int (3 * (x + y)) = let
val v1 = 3 * a
val v2 = 3 * b
in
(v1 + v2)
end
1: int 1
/: {x,y: int | y != 0}
(int x, int y): [z:int] int z
Blue: type indices in the statics
Red: Entities in the dynamics
some types

10. Dependent Types (array)
// arrayref (a, n) is a type.
// It depends on two indices: type of element, length of array
fun{a:t@ype} array_make_elt{n:int}
(asz: size_t n, elt: a): arrayref (a, n)
fun{a:t@ype} arrayref_get_at {n:int}{i:nat | i < n}
(A: arrayref (a, n), pos: size_t i): a
overload [] with arrayref_get_at
fun{a:t@ype} arrayref_set_at {n:int}{i:nat | i < n}
(A: arrayref (a, n), pos: size_t i, x: a): void
overload [] with arrayref_set_at
typedef Int = [x:int] int x
val arr: arrayref (Int, 3) = arrayref_make_elt<Int> (i2sz(3), 0)
val v = arr[2]
val () = arr[i2sz(v)] := 99
val () = assertloc (v < 3)
val () = assertloc (v >= 0)
prfun fun pure_assert {b:bool}
(bool b): [b == true] void
prval () = pure_assert (v < 3)
prval () = pure_assert (v >= 0)

11. Specification:
What should a function do?
• SUM (x) = 0 + 1 + 2 + … + x
• relation: y = SUM (x)
y = SUM (x) = 0 if x = 0
y= SUM (x) = x + y1 if SUM (x - 1) = y1
fun sum (x: int): int =
if x = 0 then 0
else x + sum (x – 1)
)(.int:)0.(int: xSUMyyoutputyxinputxx 
No Connection
between two worlds!
Implementation

12. Specification: Encoding via types
dataprop SUM (int, int) =
| SUMbas (0, 0) of ()
| {x,y1:int} SUMind (x+1, y1+x+1) of SUM (x, y1)
fun sum {x:int | x >= 0} (a: int x):
[y:int] (SUM (x, y) | int y) =
if a = 0 then (SUMbase () | 0)
else let
val (pf1 | s) = sum(a - 1)
prval pf = SUMind (pf1)
in
(pf | s + a)
end

13. Verification: Theorem Proving
dataprop SUM (int, int) =
| SUMbas (0, 0) of ()
| {x,y1:int} SUMind (x+1, y1+x+1) of SUM (x, y1)
fun sum_mul{x: int | x >= 0} (a: int x):
[s: int] (MUL (x, x+1, s) | int (s/2)) = let
val sum = a * (a + 1)
prval pf = mul_make ()
in
(pf | sum / 2)
end
extern prfun mul2sum {x,s:int | x >= 0}
(pf: MUL (x, x+1,s)): SUM (x, s / 2)
fun sum {x:int | x >= 0} (a: int x):
[y:int] (SUM (x, y) | int y) = let
val (pf_mul | sum) = sum_mul(a)
prval pf_sum = mul2sum (pf_mul)
in
(pf_sum | sum)
end

14. Linear Type (Intuition)
 Program Entities of linear types can be consumed once
and exactly once.
Creation of
Linear Object
Passing on
Linear Object
Destruction of
Linear Object

15. Linear Type (viewtype)
 Resource Management: lock, memory, interrupt, …
absviewt@ype lock
extern fun lock_acquire (): lock
extern fun lock_release (l: lock >> _): void
fun foo (): void = let
val l = lock_acquire ()
// ... process
val () = lock_release (l) // must release only once
in
end

16. Linear Type (View)
fun{a:vt0p} ptr_alloc ()
:<> [l:addr | l > 0]
(
a? @ l, mfree_gc_v (l) | ptr l
)
fun ptr_free {a:t@ype}{l:addr}
(
pfgc: mfree_gc_v (l)
, pfat: a @ l
| p: ptr l
):<> void
a? @ l
mfree_gc_v (l)
ptr l
view
(linear
proof)
Concrete
Code
Can Deference
Can NOT Deference

17. Program Verification
Prove that the implementation
meets the specification
Theorem Proving
Model Checking

18. Combining Type Checking and
Model Checking
 Modeling concurrent software system using ATS
 Eliminate bugs in models as much as possible by type
checking
 Verify models by model checking against temporal
properties (e.g. deadlock freeness, atomicity,
specification in linear temporal logic, and etc)

19. Q & A
 Thank You.
 Questions?