Certified Correctness for Higher-order Programs
-
Upload
zahir-ellis -
Category
Documents
-
view
22 -
download
0
description
Transcript of Certified Correctness for Higher-order Programs
![Page 1: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/1.jpg)
Certified Correctness for Higher-order Programs
Nikhil SwamyMicrosoft Research, Redmond
![Page 2: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/2.jpg)
Vampire Simplify CVC4
VeriFastWhy3
Boogie
Spec#
Many recent successes for semi-automated verifiers
![Page 3: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/3.jpg)
JavaScript: Higher-order state everywhere!+ AJAX, Event handlers, jQuery, DOM,… Element.addEventListener(ev, function(node){…}) $('li').each(function(index) { .. })
Delegates, lambdas, LINQ, RX, … delegate B Func<A,B>(A arg) foreach (var i in L) {…}
Lambdas everywhere!
But, modern languages are pervasively higher-order!
![Page 4: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/4.jpg)
Higher-order verifiers ~interactive proof assistants
Agda NuPRL …
Very expressive logics! :-)
Impoverished programming languagesPure total functions only :-(
![Page 5: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/5.jpg)
An ML-like languagewith an SMT-based
dependent type system
Enter F* … http://research.microsoft.com/fstar
Fournet Chen Strub Dagand Schlesinger Weinberger Livshits
Bhargavan Borgstrom Chugh Fredrikson Guha Yang Jeannin Swamy
![Page 6: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/6.jpg)
val f: x:int -> y:int{y = x + 1}let f x = x + 1
val hd: xs:list 'a{xs<>[]} -> 'alet hd = function | x::_ -> x | _ -> raise Not_found
val counter: unit -> Writer x:int{x >= 0}let counter = let c = ref 0 in fun () -> c := !c + 1; !c
val compose: (x:'b -> DST 'c (WP_f x)) -> (y:'a -> DST 'b (WF_g y))
-> z:'a -> DST 'c (WP_f . WP_g z)let compose f g x = f (g x)
Term language is core-ML, in a syntax resembling F#/Caml-light
Type language allows expressing precise, functional properties
![Page 7: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/7.jpg)
7
F* source: core-ML with dependent refinement types uses SMT solvers to discharge proof obligations (ESOP ‘10, ICFP’11)
F* source
Z3Type-checker + Compiler
JavaScript
val f: x:int -> y:int{y=x+1}let f x = x + 1
Z3
rDCIL
rDCIL Type-Checker
.NET Virtual Machine
C#, F#,… rDCIL
Interop with C#, VB.NET, F#,…Run on Azure, Windows Phone 7
Preserve types in .NET (PLDI ’10) class C<‘a::int => *>
Coq
Type-checkeritself in F*
Self-certified core type-checker(POPL ’12)
Fully abstract compiler to JS(POPL ’13)
JS verification by translation to F*(PLDI ’13)
![Page 8: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/8.jpg)
Expressions e
Types t
Kinds
0, 1, 2,… true, false, …fun x -> e
Values v
int, bool, … int -> bool…
list int
sz:int -> init:'a -> array sz 'a
array 17 float
0:intfun x->e : int->bool
int:Sint->bool:S
S list:S => S
array:int=>S=>S
S => S
int => S => S
nat = x:int{x >= 0}
sz:nat -> init:'a -> array sz 'a
int => int => E
nat:S
(>=):int => int => E
E
zero = x:int{x = 0}
0:zerofun x->e : int->bool
(=):'a:S => 'a => 'a => E
let x = e in e' match v with D x -> e ref v | v1 := v2 | !v | …
![Page 9: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/9.jpg)
S universeArbitraryEffectful
computation
P universeConstructive
logic core , total functions
E universeAll terms, including ghost terms
A universeAffine types for
controlling effects
The four base-kinds/universes of F*{S, E, A, P}
P <: E S <: E A <: E
![Page 10: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/10.jpg)
http://rise4fun.com/FStar/tutorial/guide
http://rise4fun.com/FStar/plplY
http://rise4fun.com/FStar/FCE
http://rise4fun.com/FStar/8Ky
http://rise4fun.com/FStar/tutorial/jsStar
![Page 11: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/11.jpg)
Reasoning about effects in
monadic F*
![Page 12: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/12.jpg)
val swap: r1:ref 'a -> r2:ref 'a -> Writer unit (Requires λh. Perm r1 h /\ Perm r2 h) (Ensures λh () h'. Perm r1 h' /\ Perm r2 h' /\ h'[r1]=h[r2]
/\ h'[r2]=h[r1]) (Modifies {r1,r2})let swap r1 r2 = let tmp = !r1 in r1 := !r2; r2 := tmp
Reads and writes the heapPre-condition is a heap predicate (heap => E)
Permission to read and write r1, r2
Post-condition: Relates pre-heap, result and post-heap
heap => 'a => heap => E
h = h' on all ref cells except {r1, r2}, and any newly allocated ref cells
![Page 13: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/13.jpg)
Closures and local state
let evens () = let i = ref 0 in fun () -> i := !i + 1; 2*!i
let evens' () = let i = ref 0 in let j = ref 0 in fun () -> i := !i + 1;
j := !j + 1; !i + !j
Can we give both the same spec, hiding local state from the client?
![Page 14: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/14.jpg)
Idea: pack the closure with invariant on its local state, hiding the representation from the client
type evens_t = | Pkg: 'Inv:heap =>E -> fp:refset -> (unit
-> Writer int(Requires λh. 'Inv (h|fp))(Ensures λh i h'.i%2=0 /\ 'Inv (h'|
fp))(Modifies fp))
-> evens_t
Pkg (Perm i) {i} (fun () -> i:=!i+1; 2*!i) : evens_t
'Inv is a pre- and post-condition of the closure
(h|fp) is the fragment of the heap h whose domain is the set fp of refs
Closure returns an even number
fp={i} footprint of the local state
'Inv instantiated to Perm i
![Page 15: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/15.jpg)
let evens () = let i = ref 0 in Pkg (Perm i) {i} (fun () -> i := !i + 1; 2*!i)
let evens' () = let i = ref 0 in let j = ref 0 in Pkg (λh. Perm i h /\ Perm j h /\ h[i]=h[j]) {i,j} (fun () -> i := !i + 1; j := !j + 1; !i + !j)
Both return evens_t … almost there
The closure owns permission to {i,j};i and j always hold the same value
![Page 16: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/16.jpg)
val evens, evens’: unit -> Writer evens_t (Requires λh.True) (Ensures λh v h'. Pkg.Inv v (h'| Pkg.fp v) /\ Fresh h (Pkg.fp v)) (Modifies {})
Return evens_t
Pkg.Inv: evens_t => heap => E projects the first component of a Pkg value, i.e., the invariant
Pkg.fp: evens_t -> refset projects the second component of a Pkg value, i.e., the footprint
Ensures that the invariant of evens_t holds on the footprint
And that the footprint is fresh
evens_t is a strong sum Can project the existentially bound variables
![Page 17: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/17.jpg)
PLDI ‘13Solutions to VSTTE ‘11 competition with heavy use of local stateVerified library for JavaScript runtime supportJavaScript source code (browser extensions)
To date: nearly 50,000 lines of verified F* code
![Page 18: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/18.jpg)
But, what does it mean to verify a program in F*, formally?
![Page 19: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/19.jpg)
F* in Coq(simplified)
Inductive Tipe :=| Tarrow : name -> Tipe -> Tipe -> Tipe| …with Expr :=| Elam : name -> Tipe -> Expr -> Expr | … .
Inductive Typing : Env -> Config -> Tipe -> Type := | WFVar: g:Env -> x:name -> t:Tipe -> In g (x,t)
–> Typing g (Eval (Var x)) t…
Inductive Steps : Config -> Config :=| …
Deep embedding of syntax of F* in Coq
F* typing relation as an inductive type in Coq
8 mutually recursive judgments, ~65 rules
F* op. semantics
![Page 20: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/20.jpg)
Theorem Preservation: forall G e e’ t, Typing G e t -> Steps e e’ -> Typing G e’ t.
Theorem Progress: forall G e t,Typing G e t
-> Value e \/ (exists e’. Steps e e’)
Metatheory of F* in Coq(simplified)
Well-typed F* programs do not contain failing assertions
![Page 21: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/21.jpg)
Theorem (Correspondence of the P universe): Terms in F*’s logical core of constructive proofs can be embedded in Coq, and the embedding is a forward simulation
More Metatheory of F*(proved manually)
Corollary: F*’s logical core of constructive proofs is strongly normalizing
P universe S universe
E universe
A universe
![Page 22: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/22.jpg)
But, what about the type checker implementation?
![Page 23: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/23.jpg)
Z3
Src.fst
F* checker programmed
in F# F* checker in F*
Coq
Bootstrap certification
Theorem? If src.fst type checks then it does not go wrong.
Self-Certification
![Page 24: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/24.jpg)
Z3
Src.fst
F* typechecker
Theorem: If src.fst typechecks then it does not go wrong.
Type-checker in F*
![Page 25: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/25.jpg)
Theorem Preservation: …Theorem Progress: …
Metatheory.v (Coq)
CoqF*
Definitions.v (Coq)Inductive Tipe := .. Inductive Typing := … …
Correspondence
theorem
Definitions.fst (F*)type Tipe = .. type Typing = … …
check_expr: G:Env -> e:Expr ->
t:Tipe-> Partial (Typing G e
t)check_expr’s result (if any) is a valid typing derivation
Kernel type checker: 5,200 lines of F* code organized into 11 modules
![Page 26: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/26.jpg)
Correspondence
theorem
Theorem Preservation: …Theorem Progress: …
Metatheory.v (Coq)
CoqF*
Definitions.v (Coq)Inductive Tipe := .. Inductive Typing := … …
Definitions.fst (F*)type Tipe = .. type Typing = … …
check_expr: G:Env -> e:Expr ->
t:Tipe-> Partial (Typing G e
t)check_expr’s result (if any) is a valid typing derivation
Pretty print
as Coq term
Typing derivation for
check_expr
Typing derivation for
check_expr
Theorem: forall G e t v, Steps (check_expr (embed G) (embed e)
(embed t)) (Evalue v) -> Typing G e t
7.3GB Coq termTook 24 machine-days to check
![Page 27: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/27.jpg)
![Page 28: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/28.jpg)
![Page 29: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/29.jpg)
What next?
• More bootstrapping– Always elaborating into core F* is expensive– Certify higher-level checkers once and for al
• Meta F* in F*– Prove syntactic soundness of F* in F*– (See tutorial on STLC for flavor)
![Page 30: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/30.jpg)
What next?
• JavaScript, TypeScript, and friends– Verification of JS/TS source– Fully abstract embedding of Safe TS in JS
• Relational F*– A logic for hyperproperties encoded in F*
• …
![Page 31: Certified Correctness for Higher-order Programs](https://reader035.fdocuments.in/reader035/viewer/2022070401/56813611550346895d9d8833/html5/thumbnails/31.jpg)
http://research.microsoft.com/fstar/
Try it out … happy to help you get started!
CERTIFI
ED