A Certified Type- Preserving Compiler from Lambda Calculus...
Transcript of A Certified Type- Preserving Compiler from Lambda Calculus...
![Page 1: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/1.jpg)
1
A Certified Type-Preserving Compiler
from Lambda Calculus to Assembly Language
Adam ChlipalaUniversity of California, Berkeley
An experiment with variable binding, denotational semantics, and logical relations in Coq
![Page 2: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/2.jpg)
2
The Big Picture
IntermediateProgram I
SourceProgram
TargetProgram
IntermediateProgram n
....
Certifying compilation:Source and target programs are
observationally equivalent.
Compiler
SourceProgram
Certified compiler:For any valid input, the compiler
produces an observationally equivalent output.
Simply-typed lambda calculus
Idealized assembly language with abstract, type-
directed garbage collectorTransformations: CPS
conversion, closure conversion, explicit heap
allocation, register allocation, ...
Implemented in Coq
Theorem proved in Coq
![Page 3: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/3.jpg)
3
Type-Preserving Compilation
● Preserve static type information in some prefix of the compilation process.
● Taken all the way, you end up with typed assembly language, proof-carrying code, etc..
● More modestly, implement nearly tag-free garbage collection.– Replace tag bits, boxing, etc., with static
tables mapping registers to types.– Used in the MLton SML compiler.
![Page 4: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/4.jpg)
4
What's tricky?
● Nested variable scopes
● Relational reasoning
● Proof management and automation
This is what the POPLmark Challenge is all about!
![Page 5: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/5.jpg)
5
Design Decision #1:Dependently-Typed ASTs
Compiler
InputProgram
OutputProgram
Type Preservation Theorem.If the input program has type T, then the output program has type C(T).
Semantics Preservation Theorem.If the input program has meaning M, then the output program has meaning C(M).
Use dependent types to make the compiler type-preserving by construction!
Typing Derivation Typing Derivation
![Page 6: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/6.jpg)
6
Design Decision #2:Denotational Semantics
Compiler
InputProgram
OutputProgram
Semantics Preservation Theorem.If the input program has meaning M, then the output program has meaning C(M).
Operational Semantics Version:If the input program multi-steps to result v, then the output program
multi-steps to result v.
Denotational Semantics Version:1. Compile the input program to CIC.
2. Compile the output program to CIC.3. The two results must be equal.
![Page 7: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/7.jpg)
7
Secret WeaponsProgramming with dependent types is hard!
Genericprogramming
system
Object language
description
Syntactic support
functions+ generic
proofs of their correctness
The trickiest bits deal with “administrative” operations that adjust variable bindings...
but these are still routine and hardly language-specific!
Writing formal proofs is hard!
“Put the rooster to work!”
The combination of dependent types and denotational semantics enables some very effective decision procedures to be coded in
Coq's Ltac language.
![Page 8: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/8.jpg)
8
Rest of the Talk...
● Summary of compilation● Dependently-typed ASTs● Denotational semantics in Coq● Writing compiler passes
– ...including generic programming of helper functions
● Proving semantics preservation
![Page 9: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/9.jpg)
9
o ::= r | n | new(R, R) | read(r, n)
i ::= r := o; i | jump r
p ::= (I, i)
Source and Target Languages
Source language: simply-typed lambda calculus
¿ ::= N | ¿ ! ¿
e ::= n | x | e e | ¸x : ¿, e
Target language: idealized assembly language
![Page 10: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/10.jpg)
10
Compiler Stages¸x, f x
Closure conversion
let F = ¸e, ¸x, ¸k, e.1 x k in ktop
(hF, [f]i)Explicit heap allocation
let F = ¸e, ¸x, ¸k, e.1.1 e.1.2 x k inlet r1 = [f] in let r2 = [F, r1] in k
top(r2)
Flattening
F: r4 := r1.1; r1 := r4.2; r4 := r4.1; jump r4main: r3 := r1.1; r1 := r1.2;
r2 := new [f]; r2 := new [F, r2]; jump r3
CPS conversion
ktop
(¸x, ¸k, f x k)
![Page 11: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/11.jpg)
11
Correctness Proof
● Compiler and proof implemented entirely within Coq 8.0
● Axioms:– Functional extensionality:
● 8f, g, (8x, f(x) = g(x)) ) f = g
– Uniqueness of equality proofs:
● 8¿, 8x, y : ¿, 8P1, P2 : x = y, P1 = P2
● The compiler is almost runnable as part of a proof.
![Page 12: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/12.jpg)
12
Denotational Semantics of the Source Language
![Page 13: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/13.jpg)
13
For Types...
Inductive ty : Set := | Nat : ty | Arrow : ty > ty > ty.
Fixpoint tyDenote (t : ty) : Set := match t with | Nat => nat | Arrow t1 t2 => tyDenote t1 > tyDenote t2 end.
![Page 14: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/14.jpg)
14
Representing Terms
Inductive term : Set := | Const : nat > term | Var : name > term | Lam : name > term > term | App : term > term > term.
Nominal syntax
![Page 15: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/15.jpg)
15
Representing Terms
Inductive term : Set := | Const : nat > term | Var : nat > term | Lam : term > term | App : term > term > term.
De Bruijn syntax
![Page 16: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/16.jpg)
16
Representing Terms
Inductive term : nat > Set := | Const : forall n, nat > term n | Var : forall n x, x < n > term n | Lam : forall n, term (S n) > term n | App : forall n, term n > term n > term n.
Dependent de Bruijn syntax
![Page 17: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/17.jpg)
17
Representing Terms
Inductive term : list ty > ty > Set := | Const : forall G, nat > term G Nat | Var : forall G t, var G t > term G t | Lam : forall G dom ran, term (dom :: G) ran
> term G (Arrow dom ran) | App : forall G dom ran,
term G (Arrow dom ran)> term G dom> term G ran.
Dependent de Bruijn syntax with typing
![Page 18: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/18.jpg)
18
Term Denotations
Fixpoint termDenote (G : list ty) (t : ty) (e : term G t) {struct e} : subst tyDenote G > tyDenote t := match e in (term G t) return (subst tyDenote G > tyDenote t) with | Const _ n => fun _ => n | Var _ _ x => fun s => varDenote x s | Lam _ _ _ e' => fun s => fun x => termDenote e' (SCons x s) | App _ _ _ e1 e2 => fun s => (termDenote e1 s) (termDenote e2 s) end.
![Page 19: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/19.jpg)
19
Definition of “Values” for FreeOperational Denotational
n value
¸x : ¿, e value
Syntactic characterization used throughout definitions
and proofs
Inherit any “canonical forms” properties of the underlying Coq
types.“A natural number is either zero or a successor of another natural number.”
Caveat: We don't get the same kind of property for functions!
![Page 20: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/20.jpg)
20
No Substitution Function!Operational Denotational
Customized syntactic substitution function written for each object language
(¸x : ¿, e1) e
2 ! e
1[x := e
2]
Reduction rules defined using substitution
Coq's operational semantics provides the substitution operation for us!
![Page 21: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/21.jpg)
21
Free MetatheoremsOperational Denotational
For each object language, give customized, syntactic proofs of properties like:
● Type safety – preservation● Type safety – progress● Confluence● Strong normalization● ...
ObjectLanguage
ObjectLanguage
Meta-theorems proved once and for all about CICThe majority of programming language
theory mechanization experiments only look at proving these sorts of theorems!
![Page 22: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/22.jpg)
22
Free Theorems
Proof. By reflexivity of equality.
Coq's proof checker identifies as equivalent terms that reduce to each other!
This means that both compilation of terms into CIC and evaluation of the results are “zero
cost” operations.
![Page 23: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/23.jpg)
23
But Wait!
Doesn't that only work for languages that are:● Strongly normalizing● Purely functional● Deterministic● Single-threaded● ...etc...
(In other words, a lot like Coq)
![Page 24: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/24.jpg)
24
Monads to the Rescue!
● Summary rebuttal: Take a cue from Haskell.
● Use object language agnostic “embedded languages” to allow expression of “effectful” computations
● Keep using Coq's definitional equality to handle reasoning about pure sublanguages, and even some of the mechanics of impure pieces.
![Page 25: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/25.jpg)
25
Non-Strongly-Normalizing Languages
For closed, first-order programs with basic block structure (e.g., structured assembly)
(pc0, mem
0) (pc
1, mem
1)
Basic blockdenotation
function
A total denotation function that executes a basic block,
determining the next program counter and memory state.
(pc1, mem
1) (pc
2, mem
2)
(pc2, mem
2) (pc
3, mem
3)
(pc1, mem
1)
(pc2, mem
2)
(pc3, mem
3)
Potentially-infinite
trace
A function runs basic blocks repeatedly to build a lazy list describing an execution trace.
(no “non-computational” definitions required)
![Page 26: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/26.jpg)
26
Co-inductive Traces
T ::= n | ? | ✰, T
Termination with a natural number answerRun-time failureTake one more step of
computation.
By keeping only these summaries of program executions, we enable effective equality reasoning.
Example: Garbage collection safetyEquality of traces is a good way to characterize the appropriate effect on programs from rearranging the heap and root pointers to a new, isomorphic configuration.
![Page 27: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/27.jpg)
27
Example Compilation Phase: CPS Transform
Translation works in some context ¡...
but used in context¡, u : ¿
1 ! ¿
2!
Recall that terms are represented as typing derivations.
We need a syntactic helper function equivalent to aweakening lemma.
Type error!
![Page 28: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/28.jpg)
28
Dependently-Typed Syntactic Helper Functions?
● Could just write this function from scratch for each new language.– Probably using tactic-based proof search– The brave (and patient) write the CIC term
directly.● My recipe for writing generic substitution functions
involves three auxiliary recursive functions!
● Much nicer to automate these details using generic programming!– Write each function once, not once per
object language.
![Page 29: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/29.jpg)
29
What Do We Need?
weaken : forall (G : list ty) (t : ty), term G t > forall (t' : ty), term (t' :: G) t
1. The helper function itself
2. Lemmas about the functionFor any term e, properly-typed substitution ¾, and properly-typed value v:
Can prove this generically for any compositional denotation function!For example, for simply-typed lambda calculus, there must exist f
var,
fapp
, and flam
such that:
![Page 30: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/30.jpg)
30
Reflection-Based Generic Programming
Language Definition
(Coq inductive
type)
Reflected Language Definition
(term of CIC)
Coq plug-in(outside the logic)
Generic functionSpecific
function
(type-compatible with original
language definition)
Denotation Function
Reflected Denotation Function
Coq plug-in
Generic proof
Specific proof
![Page 31: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/31.jpg)
31
What to Prove?Overall correctness theorem: The compilation of a program of type N runs to the same result as the original program does.
What do we prove about individual phases?
Prove that input/output pairs are in an appropriate logical relation. E.g., for the CPS transform:
This function space contains many functions not representable in our
object languages!
![Page 32: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/32.jpg)
32
In the Trenches
Easy first step: Use introduction rules for forall's and implications at the start of the goal.
![Page 33: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/33.jpg)
33
In the Trenches
Now we're blocked at the tricky point for automated provers: proving existential facts and applying universal facts.
Key observation: The quantified variables have very specific
dependent types.
We can use greedy quantifier instantiation!
![Page 34: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/34.jpg)
34
In the Trenches
![Page 35: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/35.jpg)
35
In the Trenches
Existential hypotheses are easy to eliminate.
![Page 36: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/36.jpg)
36
In the Trenches
We can't make further progress with this hypothesis, since no term of the type given for k exists in the proof state.
![Page 37: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/37.jpg)
37
In the Trenches
We can simplify the conclusion by applying rewrite rules (like those we generated automatically) until no more apply.
![Page 38: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/38.jpg)
38
In the Trenches
Now the conclusion has a subterm with the right type to instantiate a hypothesis!
![Page 39: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/39.jpg)
39
In the Trenches
We can use H1 to rewrite the goal.
![Page 40: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/40.jpg)
40
In the Trenches
![Page 41: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/41.jpg)
41
And That's That!
● This strategy does almost all of the proving for the CPS transformation correctness proof!– About 20 lines of proof script total.
● Basic approach:– Figure out the right syntactic rewrite lemmas,
prove them, and add them as hints.– State the induction principle to use.– Call a generic tactic from a library.
![Page 42: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/42.jpg)
42
A Recipe for Certified Compilers
1.Define object languages with dependently-typed ASTs.
2.Give object languages denotational semantics.
3.Use generic programming to build basic support functions and lemmas.
4.Write compiler phases as dependently-typed Coq functions.
5.Express phase correctness with logical relations.
6.Prove correctness theorems using a generic decision procedure relying heavily on greedy quantifier instantiation.
![Page 43: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/43.jpg)
43
Design Decisions
● Why dependently-typed ASTs?– Avoid well-formedness side conditions– Easy to construct denotational semantics
defined only over well-typed terms– Makes greedy quantifier instantiation realistic
● Why denotational semantics?– Concise to define– Known to work well with code transformation– Many reasoning steps come for free via Coq's
definitional equality
![Page 44: A Certified Type- Preserving Compiler from Lambda Calculus ...adam.chlipala.net/papers/CtpcPLDI07/CtpcINRIA.pdf3.Use generic programming to build basic support functions and lemmas.](https://reader031.fdocuments.in/reader031/viewer/2022041700/5e412284bc23f723532b8fc9/html5/thumbnails/44.jpg)
44
Conclusion
● Yet another bag of suggestions on how to formalize programming languages and their metatheories and tools!
● Would be interesting to see other approaches to formalizing this kind of compilation.
Acknowledgements
Thanks to my advisor George Necula.
This work was funded by a US National Defense fellowship and the US National Science Foundation.