Metasepi team meeting #16: Safety on ATS language + MCU

transcript

Metasepi team meeting #16:　Safety on ATS language + MCU

Metasepi team meeting #16:Safety on ATS language + MCU

Kiwamu Okabe @ Metasepi ProjectKiwamu Okabe @ Metasepi ProjectKiwamu Okabe @ Metasepi ProjectKiwamu Okabe @ Metasepi ProjectKiwamu Okabe @ Metasepi Project

Who am I?Who am I?Who am I?Who am I?Who am I?

☆ http://www.masterq.net/☆ http://www.masterq.net/☆ http://www.masterq.net/☆ http://www.masterq.net/☆ http://www.masterq.net/

☆ Self employed software engineer☆ Self employed software engineer☆ Self employed software engineer☆ Self employed software engineer☆ Self employed software engineer

☆ Trade name := METASEPI DESIGN☆ Trade name := METASEPI DESIGN☆ Trade name := METASEPI DESIGN☆ Trade name := METASEPI DESIGN☆ Trade name := METASEPI DESIGN

☆ Founder of Metasepi Project☆ Founder of Metasepi Project☆ Founder of Metasepi Project☆ Founder of Metasepi Project☆ Founder of Metasepi Project

☆ A Debian Maintainer☆ A Debian Maintainer☆ A Debian Maintainer☆ A Debian Maintainer☆ A Debian Maintainer

☆ 10 years' experience in developing OS using NetBSD☆ 10 years' experience in developing OS using NetBSD☆ 10 years' experience in developing OS using NetBSD☆ 10 years' experience in developing OS using NetBSD☆ 10 years' experience in developing OS using NetBSD

AgendaAgendaAgendaAgendaAgenda

☆ [1] What is Metasepi?☆ [1] What is Metasepi?☆ [1] What is Metasepi?☆ [1] What is Metasepi?☆ [1] What is Metasepi?

☆ [2] How to create Metasepi?☆ [2] How to create Metasepi?☆ [2] How to create Metasepi?☆ [2] How to create Metasepi?☆ [2] How to create Metasepi?

☆ [3] Demo using ATS language☆ [3] Demo using ATS language☆ [3] Demo using ATS language☆ [3] Demo using ATS language☆ [3] Demo using ATS language

☆ [4] What is ATS language?☆ [4] What is ATS language?☆ [4] What is ATS language?☆ [4] What is ATS language?☆ [4] What is ATS language?

☆ [5] Why ATS language is safe?☆ [5] Why ATS language is safe?☆ [5] Why ATS language is safe?☆ [5] Why ATS language is safe?☆ [5] Why ATS language is safe?

☆ [6] ATS programming on MCU☆ [6] ATS programming on MCU☆ [6] ATS programming on MCU☆ [6] ATS programming on MCU☆ [6] ATS programming on MCU

[1] What is Metasepi?[1] What is Metasepi?[1] What is Metasepi?[1] What is Metasepi?[1] What is Metasepi?

http://metasepi.org/http://metasepi.org/http://metasepi.org/http://metasepi.org/http://metasepi.org/

☆ Unix-like OS designed by strong type.☆ Unix-like OS designed by strong type.☆ Unix-like OS designed by strong type.☆ Unix-like OS designed by strong type.☆ Unix-like OS designed by strong type.

☆ Using ML's or more strong type.☆ Using ML's or more strong type.☆ Using ML's or more strong type.☆ Using ML's or more strong type.☆ Using ML's or more strong type.

Why need Metasepi?Why need Metasepi?Why need Metasepi?Why need Metasepi?Why need Metasepi?

☆ We have already Linux or Windows.☆ We have already Linux or Windows.☆ We have already Linux or Windows.☆ We have already Linux or Windows.☆ We have already Linux or Windows.

☆ But the developers are suffering.☆ But the developers are suffering.☆ But the developers are suffering.☆ But the developers are suffering.☆ But the developers are suffering.

☆ If use the kernel changed by you,☆ If use the kernel changed by you,☆ If use the kernel changed by you,☆ If use the kernel changed by you,☆ If use the kernel changed by you,

☆ you will get many runtime error.☆ you will get many runtime error.☆ you will get many runtime error.☆ you will get many runtime error.☆ you will get many runtime error.

☆ Difficult even to reproduce it.☆ Difficult even to reproduce it.☆ Difficult even to reproduce it.☆ Difficult even to reproduce it.☆ Difficult even to reproduce it.

Doesn't OSS have good quality?Doesn't OSS have good quality?Doesn't OSS have good quality?Doesn't OSS have good quality?Doesn't OSS have good quality?

☆ "The Cathedral and the Bazaar"☆ "The Cathedral and the Bazaar"☆ "The Cathedral and the Bazaar"☆ "The Cathedral and the Bazaar"☆ "The Cathedral and the Bazaar"

☆ "Given enough eyeballs, all bugs are shallow."☆ "Given enough eyeballs, all bugs are shallow."☆ "Given enough eyeballs, all bugs are shallow."☆ "Given enough eyeballs, all bugs are shallow."☆ "Given enough eyeballs, all bugs are shallow."http://cruel.org/freeware/cathedral.htmlhttp://cruel.org/freeware/cathedral.htmlhttp://cruel.org/freeware/cathedral.htmlhttp://cruel.org/freeware/cathedral.htmlhttp://cruel.org/freeware/cathedral.html

☆ But if you develop your own product re-using OSS...☆ But if you develop your own product re-using OSS...☆ But if you develop your own product re-using OSS...☆ But if you develop your own product re-using OSS...☆ But if you develop your own product re-using OSS...

Low quality out of OSS umbrellaLow quality out of OSS umbrellaLow quality out of OSS umbrellaLow quality out of OSS umbrellaLow quality out of OSS umbrella

Type safetyType safetyType safetyType safetyType safety

☆ Less runtime errors☆ Less runtime errors☆ Less runtime errors☆ Less runtime errors☆ Less runtime errors

☆ "数理科学的バグ撲滅方法論のすすめ"☆ "数理科学的バグ撲滅方法論のすすめ"☆ "数理科学的バグ撲滅方法論のすすめ"☆ "数理科学的バグ撲滅方法論のすすめ"☆ "数理科学的バグ撲滅方法論のすすめ"http://itpro.nikkeibp.co.jp/article/COLUMN/20060915/248230/http://itpro.nikkeibp.co.jp/article/COLUMN/20060915/248230/http://itpro.nikkeibp.co.jp/article/COLUMN/20060915/248230/http://itpro.nikkeibp.co.jp/article/COLUMN/20060915/248230/http://itpro.nikkeibp.co.jp/article/COLUMN/20060915/248230/

Kernel wants type desperatelyKernel wants type desperatelyKernel wants type desperatelyKernel wants type desperatelyKernel wants type desperately

☆ Kernels are developed with C.☆ Kernels are developed with C.☆ Kernels are developed with C.☆ Kernels are developed with C.☆ Kernels are developed with C.

☆ Error on user space => SEGV☆ Error on user space => SEGV☆ Error on user space => SEGV☆ Error on user space => SEGV☆ Error on user space => SEGV

☆ Error on kernel space => Halt!☆ Error on kernel space => Halt!☆ Error on kernel space => Halt!☆ Error on kernel space => Halt!☆ Error on kernel space => Halt!

☆ Should design kernel with the greatest care.☆ Should design kernel with the greatest care.☆ Should design kernel with the greatest care.☆ Should design kernel with the greatest care.☆ Should design kernel with the greatest care.

☆ C language is safe?☆ C language is safe?☆ C language is safe?☆ C language is safe?☆ C language is safe?

Remember Heartbleed bug?Remember Heartbleed bug?Remember Heartbleed bug?Remember Heartbleed bug?Remember Heartbleed bug?

Should we use safer language than C?Should we use safer language than C?Should we use safer language than C?Should we use safer language than C?Should we use safer language than C?== In English =="Preventing heartbleed bugs with safe programming languages"http://bluishcoder.co.nz/2014/04/11/preventing-heartbleed-bugs-with-safe-languages.html

== In Japanease =="安全なプログラミング言語を使って heartbleed を防ぐには"https://github.com/jats-ug/translate/blob/master/Web/bluishcoder.co.nz/2014/04/11/preventing-heartbleed-bugs-with-safe-languages.md

== In English =="Preventing heartbleed bugs with safe programming languages"http://bluishcoder.co.nz/2014/04/11/preventing-heartbleed-bugs-with-safe-languages.html

"A safer systems programming language could have prevented the bug.""A safer systems programming language could have prevented the bug.""A safer systems programming language could have prevented the bug.""A safer systems programming language could have prevented the bug.""A safer systems programming language could have prevented the bug."

[2] How to create Metasepi?[2] How to create Metasepi?[2] How to create Metasepi?[2] How to create Metasepi?[2] How to create Metasepi?

☆ Language: Strongly typed language☆ Language: Strongly typed language☆ Language: Strongly typed language☆ Language: Strongly typed language☆ Language: Strongly typed language

☆ Base code: NetBSD kernel☆ Base code: NetBSD kernel☆ Base code: NetBSD kernel☆ Base code: NetBSD kernel☆ Base code: NetBSD kernel

☆ Design: Snatch-driven development☆ Design: Snatch-driven development☆ Design: Snatch-driven development☆ Design: Snatch-driven development☆ Design: Snatch-driven development

Snatch-driven development #1Snatch-driven development #1Snatch-driven development #1Snatch-driven development #1Snatch-driven development #1

http://en.wikipedia.org/wiki/Snatcherhttp://en.wikipedia.org/wiki/Snatcherhttp://en.wikipedia.org/wiki/Snatcherhttp://en.wikipedia.org/wiki/Snatcherhttp://en.wikipedia.org/wiki/Snatcher

Snatch-driven development #2Snatch-driven development #2Snatch-driven development #2Snatch-driven development #2Snatch-driven development #2

Iterative developmentIterative developmentIterative developmentIterative developmentIterative development

[3] Demo: ATS on raw Arduino[3] Demo: ATS on raw Arduino[3] Demo: ATS on raw Arduino[3] Demo: ATS on raw Arduino[3] Demo: ATS on raw Arduinohttps://github.com/fpiot/arduino-mega2560-atshttps://github.com/fpiot/arduino-mega2560-atshttps://github.com/fpiot/arduino-mega2560-atshttps://github.com/fpiot/arduino-mega2560-atshttps://github.com/fpiot/arduino-mega2560-ats

Demo: ATS on mbed platformDemo: ATS on mbed platformDemo: ATS on mbed platformDemo: ATS on mbed platformDemo: ATS on mbed platformhttps://github.com/fpiot/mbed-atshttps://github.com/fpiot/mbed-atshttps://github.com/fpiot/mbed-atshttps://github.com/fpiot/mbed-atshttps://github.com/fpiot/mbed-ats

[4] What is ATS language?[4] What is ATS language?[4] What is ATS language?[4] What is ATS language?[4] What is ATS language?

http://www.ats-lang.org/http://www.ats-lang.org/http://www.ats-lang.org/http://www.ats-lang.org/http://www.ats-lang.org/

☆ Syntax like ML☆ Syntax like ML☆ Syntax like ML☆ Syntax like ML☆ Syntax like ML

☆ Dependent types☆ Dependent types☆ Dependent types☆ Dependent types☆ Dependent types

☆ Linear types☆ Linear types☆ Linear types☆ Linear types☆ Linear types

☆ Without any runtime☆ Without any runtime☆ Without any runtime☆ Without any runtime☆ Without any runtime

☆ Optional GC☆ Optional GC☆ Optional GC☆ Optional GC☆ Optional GC

ATS compile flowATS compile flowATS compile flowATS compile flowATS compile flow

[5] Why ATS language is safe?[5] Why ATS language is safe?[5] Why ATS language is safe?[5] Why ATS language is safe?[5] Why ATS language is safe?

☆ Line is at between caller and callee☆ Line is at between caller and callee☆ Line is at between caller and callee☆ Line is at between caller and callee☆ Line is at between caller and callee

☆ ATS applies type to the line☆ ATS applies type to the line☆ ATS applies type to the line☆ ATS applies type to the line☆ ATS applies type to the line

☆ Type can enforce invariant in them☆ Type can enforce invariant in them☆ Type can enforce invariant in them☆ Type can enforce invariant in them☆ Type can enforce invariant in them

Usage of Linear ListUsage of Linear ListUsage of Linear ListUsage of Linear ListUsage of Linear List$ vi sample_list.dats#include "share/atspre_staload.hats"implement main0 () = { val l1 = list_vt_make_pair<int> (1, 2) val l2 = list_vt_make_pair<int> (3, 4) val () = println! ("l1 := [", l1, "] / l2 := [", l2, "]")

val l3 = list_vt_append (l1, l2) val l4 = list_vt_reverse l3 val () = println! ("l4 := [", l4, "]") val () = println! ("length(l4) := ", length l4) val () = free l4}$ patscc -DATS_MEMALLOC_LIBC -o sample_list sample_list.dats$ ./sample_listl1 := [1, 2] / l2 := [3, 4]l4 := [4, 3, 2, 1]length(l4) := 4

$ vi sample_list.dats#include "share/atspre_staload.hats"implement main0 () = { val l1 = list_vt_make_pair<int> (1, 2) val l2 = list_vt_make_pair<int> (3, 4) val () = println! ("l1 := [", l1, "] / l2 := [", l2, "]")

Compile error: without freeCompile error: without freeCompile error: without freeCompile error: without freeCompile error: without free$ vi sample_list.dats#include "share/atspre_staload.hats"implement main0 () = { val l1 = list_vt_make_pair<int> (1, 2) val l2 = list_vt_make_pair<int> (3, 4) val () = println! ("l1 := [", l1, "] / l2 := [", l2, "]")

val l3 = list_vt_append (l1, l2) val l4 = list_vt_reverse l3 val () = println! ("l4 := [", l4, "]") val () = println! ("length(l4) := ", length l4)// val () = free l4 // <= Changed}$ patscc -DATS_MEMALLOC_LIBC -o sample_list sample_list.dats--snip--The 2nd translation (binding) of [sample_list.dats] is successfully completed!/home/kiwamu/tmp/sample_list.dats: 59(line=2, offs=22) -- 396(line=12, offs=2): error(3): the linear dynamic variable [l4$3440(-1)] needs to be consumed but it is preserved with the type [S2Eapp(S2Ecst(list_vt0ype_int_vtype); S2Eapp(S2Ecst(INV); S2EVar(4102)), S2EVar(4103))] instead.

Type of Linear ListType of Linear ListType of Linear ListType of Linear ListType of Linear List(* File: prelude/basics_dyn.sats *)datavtypelist_vt0ype_int_vtype (a:vt@ype+, int) = | {n:int | n >= 0} list_vt_cons (a, n+1) of (a, list_vt0ype_int_vtype (a, n)) | list_vt_nil (a, 0) of ()stadef list_vt = list_vt0ype_int_vtype

(* File: prelude/basics_dyn.sats *)datavtypelist_vt0ype_int_vtype (a:vt@ype+, int) = | {n:int | n >= 0} list_vt_cons (a, n+1) of (a, list_vt0ype_int_vtype (a, n)) | list_vt_nil (a, 0) of ()stadef list_vt = list_vt0ype_int_vtype

make_pairmake_pairmake_pairmake_pairmake_pair(* File: prelude/SATS/list_vt.sats *)fun{x:vt0p}list_vt_make_pair (x1: x, x2: x):<!wrt> list_vt (x, 2)

(* File: prelude/SATS/list_vt.sats *)fun{x:vt0p}list_vt_make_pair (x1: x, x2: x):<!wrt> list_vt (x, 2)

lengthlengthlengthlengthlength(* File: prelude/SATS/list_vt.sats *)fun{x:vt0p}list_vt_length{n:int} (xs: !list_vt (INV(x), n)):<> int n

(* File: prelude/SATS/list_vt.sats *)fun{x:vt0p}list_vt_length{n:int} (xs: !list_vt (INV(x), n)):<> int n

appendappendappendappendappend(* File: prelude/SATS/list_vt.sats *)fun{a:vt0p} list_vt_append {n1,n2:int} ( xs1: list_vt (INV(a), n1), xs2: list_vt (a, n2)) :<!wrt> list_vt (a, n1+n2)

(* File: prelude/SATS/list_vt.sats *)fun{a:vt0p} list_vt_append {n1,n2:int} ( xs1: list_vt (INV(a), n1), xs2: list_vt (a, n2)) :<!wrt> list_vt (a, n1+n2)

reversereversereversereversereverse(* File: prelude/SATS/list_vt.sats *)fun{x:vt0p}list_vt_reverse{n:int} (xs: list_vt (INV(x), n)):<!wrt> list_vt (x, n)

(* File: prelude/SATS/list_vt.sats *)fun{x:vt0p}list_vt_reverse{n:int} (xs: list_vt (INV(x), n)):<!wrt> list_vt (x, n)

freefreefreefreefree(* File: prelude/basics_dyn.sats *)vtypedefList_vt (a:vt0p) = [n:int] list_vt (a, n)

(* File: prelude/SATS/list_vt.sats *)fun{x:t0p}list_vt_free (xs: List_vt (INV(x))):<!wrt> voidoverload free with list_vt_free

(* File: prelude/basics_dyn.sats *)vtypedefList_vt (a:vt0p) = [n:int] list_vt (a, n)

[6] ATS programming on MCU[6] ATS programming on MCU[6] ATS programming on MCU[6] ATS programming on MCU[6] ATS programming on MCU

You can choose the following 2-way.You can choose the following 2-way.You can choose the following 2-way.You can choose the following 2-way.You can choose the following 2-way.

On BareMetal hardwareOn BareMetal hardwareOn BareMetal hardwareOn BareMetal hardwareOn BareMetal hardware

☆ Arduino (8-bit AVR)☆ Arduino (8-bit AVR)☆ Arduino (8-bit AVR)☆ Arduino (8-bit AVR)☆ Arduino (8-bit AVR)

☆ Cortex-M (32-bit ARM)☆ Cortex-M (32-bit ARM)☆ Cortex-M (32-bit ARM)☆ Cortex-M (32-bit ARM)☆ Cortex-M (32-bit ARM)

On RTOSOn RTOSOn RTOSOn RTOSOn RTOS

☆ mbed☆ mbed☆ mbed☆ mbed☆ mbed

☆ ChibiOS/RT☆ ChibiOS/RT☆ ChibiOS/RT☆ ChibiOS/RT☆ ChibiOS/RT

ATS on BareMetal hardwareATS on BareMetal hardwareATS on BareMetal hardwareATS on BareMetal hardwareATS on BareMetal hardware

Read/write memory using pointer.Read/write memory using pointer.Read/write memory using pointer.Read/write memory using pointer.Read/write memory using pointer.

ATS on RTOSATS on RTOSATS on RTOSATS on RTOSATS on RTOS

Interaction with C.Interaction with C.Interaction with C.Interaction with C.Interaction with C.

Japan ATS User GroupJapan ATS User GroupJapan ATS User GroupJapan ATS User GroupJapan ATS User Group

http://jats-ug.metasepi.org/http://jats-ug.metasepi.org/http://jats-ug.metasepi.org/http://jats-ug.metasepi.org/http://jats-ug.metasepi.org/

☆ In a parody of http://jaws-ug.jp/☆ In a parody of http://jaws-ug.jp/☆ In a parody of http://jaws-ug.jp/☆ In a parody of http://jaws-ug.jp/☆ In a parody of http://jaws-ug.jp/

☆ Translate ATS docs into Japanese☆ Translate ATS docs into Japanese☆ Translate ATS docs into Japanese☆ Translate ATS docs into Japanese☆ Translate ATS docs into Japanese

☆ Push the Facebook like button, now!☆ Push the Facebook like button, now!☆ Push the Facebook like button, now!☆ Push the Facebook like button, now!☆ Push the Facebook like button, now!

Many translated documentsMany translated documentsMany translated documentsMany translated documentsMany translated documents* ATSプログラミング入門 http://jats-ug.metasepi.org/doc/ATS2/INT2PROGINATS/index.html* ATSプログラミングチュートリアル http://jats-ug.metasepi.org/doc/ATS2/ATS2TUTORIAL/index.html* Effective ATS https://github.com/jats-ug/translate/blob/master/Manual/EffectiveATS.md* MLプログラマ向けATS言語ガイド https://github.com/jats-ug/translate/blob/master/Web/cs.likai.org/ats/ml-programmers-guide-to-ats.md* 安全なプログラミング言語を使って heartbleed を防ぐには https://github.com/jats-ug/translate/blob/master/Web/bluishcoder.co.nz/2014/04/11/preventing-heartbleed-bugs-with-safe-languages.md* 状態を持つ観 (view) を通じてポインタを扱う安全なプログラミング https://github.com/jats-ug/translate/blob/master/Paper/SPPSV-padl05/SPPSV-padl05.md

* ATSプログラミング入門 http://jats-ug.metasepi.org/doc/ATS2/INT2PROGINATS/index.html* ATSプログラミングチュートリアル http://jats-ug.metasepi.org/doc/ATS2/ATS2TUTORIAL/index.html* Effective ATS https://github.com/jats-ug/translate/blob/master/Manual/EffectiveATS.md* MLプログラマ向けATS言語ガイド https://github.com/jats-ug/translate/blob/master/Web/cs.likai.org/ats/ml-programmers-guide-to-ats.md* 安全なプログラミング言語を使って heartbleed を防ぐには https://github.com/jats-ug/translate/blob/master/Web/bluishcoder.co.nz/2014/04/11/preventing-heartbleed-bugs-with-safe-languages.md* 状態を持つ観 (view) を通じてポインタを扱う安全なプログラミング https://github.com/jats-ug/translate/blob/master/Paper/SPPSV-padl05/SPPSV-padl05.md

Follow me!Follow me!Follow me!Follow me!Follow me!

https://twitter.com/jats_ughttps://twitter.com/jats_ughttps://twitter.com/jats_ughttps://twitter.com/jats_ughttps://twitter.com/jats_ug

Metasepi team meeting #16: Safety on ATS language + MCU

Technology