January 22, 2001

Types, Proofs, andSafe Mobile CodeThe unusual effectiveness of logic in programming language research

Peter LeeCarnegie Mellon University

January 22, 2001

NSF/CISE Workshop on The Unusual Effectiveness of Logic in Computer Science

CarnegieMellon Logic in PL research

Domain theoryCategory theory

Type

the

ory

Term

rew

ritin

g sy

stem

s

Denotational semanticsOperational semantics

Formal verification

Logic programming

Proof-carrying code

Type-directed compiling

Logic frameworks

Logic is the foundation of modern PL research.

-calculusAbstract Interpretation

CarnegieMellon This talk

A somewhat personal account, by necessity a rather narrow slice.

But similar stories can be found in almost all areas of PL research.

Logic as Language

CarnegieMellon Logic and languages

To PL researchers, logics and languages are often interchangeable.

A vivid example of this is in formal proofs.

Consider: Write “x is a proof of P” as x:P.

CarnegieMellon Formal proofs

We can write formal proofs by application of inference rules.

An example: If we have a proof x of P and a proof y

of Q, then x and y together constitute a proof of P Q.

Or, more compactly: Given x:P, y:Q then (x,y):P*Q.

CarnegieMellon Formal proofs

Another familiar example: Assume we have a proof x of P. If we

can then obtain a proof b of Q, then we have a proof of P Q.

Given [x:P] b:Q then fn (x:P) => b : P Q.

More: Given x:P*Q then fst(x):P Given y:P*Q then snd(y):Q

CarnegieMellon Proofs and types

So, for example:fn (x:P*Q) => (snd(x), fst(x)) : P*Q Q*P

We can develop full metalanguages based on this principle of proofs as programs, propositions as types.

Typechecking gives us proofchecking! Codified in languages such as ML.

CarnegieMellon Applications

This isomorphism has had many applications in logic and in CS.

Proof development systems. NuPrl, Coq, LCF, …

Advanced programming languages. Prolog.

Logical framework languages. Edinburgh Logical Framework.

CarnegieMellon Logical frameworks

The Edinburgh Logical Framework (LF) is a particularly useful language for specifying logics.

CarnegieMellon LF example

exp : typepred : typepf : pred -> type

true : pred/\ : pred -> pred -> pred=> : pred -> pred -> predall : (exp -> pred) -> pred

truei : pf trueandi : {P:pred} {R:pred} pf P -> pf R -> pf (/\ P R)andel : {P:pred} {R:pred} pf (/\ P R) -> pf Pimpi : {P:pred} {R:pred} (pf P -> pf R) -> pf (=> P R)alli : {P:exp -> pred} ({X:exp} pf (P X)) -> pf (all P)alle : {P:exp -> pred} {E:exp} pf (all P) -> pf (P E)

Fragment of first-order logic, Pfenning’s Elf syntax.

CarnegieMellon LF example

The representation of P P P for some predicate P:

The proof of this predicate has the following Elf representation:

(=> P (/\ P P))

(impi P (/\ P P) ([X:pf P] andi P P x x))

Language as Logic

CarnegieMellon Languages and logic

To PL researchers, languages and logics are often interchangeable.

A vivid example of this is in type theory.

CarnegieMellon Type theory

A standard application of type theory involves the following:

Operational (run-time) semantics is defined by an inference system.

Type system is also defined by an inference system.

Logic is used to prove the soundness of the type system wrt the semantics.

A programming language is a logic.

CarnegieMellon Soundness

Soundness: Well-typed programs are guaranteed

to stay within the boundaries defined by the operational semantics.

Well-typed programs won’t go wrong.

CarnegieMellon Practical benefits

Soundness can be hard to prove.

But it essentially converts the very difficult negative property (program won’t go wrong) into a positive property (program is well-typed).

Only need to prove soundness once.

CarnegieMellon Applications

Current research often involves defining the logical core of a language and then studying its properties.

Existing languages. ML, Haskell, JVML, …

New design and implementation features.

Type-directed compiling, region inference, linear typing, …

Proofs, Types, and Safe Mobile Code

CarnegieMellon The code safety problem

Please install and execute this.

Full cartoon

CarnegieMellon Code Safety

CPU

Code

Trusted Host

Is this safe to execute?

CarnegieMellon

TheoremProver

Formal verification

CPU

Code

Flexible andpowerful.

Trusted Host

But really reallyreally hard andmust be correct.

CarnegieMellon A Key Idea: Explicit Proofs

CertifyingProver

CPU

ProofChecker

Code

Proof

Trusted Host

CarnegieMellon

Proof-Carrying Code[Necula & Lee, OSDI’96]

A

B

Formal proof safety in LF Typically nativeor VM code

rlrrllrrllrlrlrllrlrrllrrll…

CarnegieMellon Proof-Carrying Code

CertifyingProver

CPU

Code

Proof

Simple,small (<52KB),and fast.

No longer need totrust this component.

ProofChecker

Reasonable in size (0-10%).

CarnegieMellon

The Role of Languages and Logic

Civilized programming languages can provide “safety for free”.

Well-formed/well-typed safe.

Idea: Arrange for the compiler to “explain” why the target code it generates preserves the safety properties of the source program.

CarnegieMellon

Automation viaCertifying Compilation

CertifyingCompiler

CPU Looks and smells like a compiler.% spjc foo.java bar.class baz.c -ljdk1.2.2

Sourcecode

Proof

Objectcode

CertifyingProver

ProofChecker

CarnegieMellon Safety Policies in LF

jfloat : exp.jinstof : exp -> exp.

of : exp -> exp -> pred.

faddf : {E:exp} {E':exp} pf (of E jfloat) -> pf (of E' jfloat) -> pf (of (fadd E E') jfloat).

ext : {E:exp} {C:exp} {D:exp} pf (jextends C D) -> pf (of E (jinstof C)) -> pf (of E (jinstof D)).

Fragment of rules for the Java type system.

CarnegieMellon Program checking

A proof for(saferd4 (add src_1 (add (imul edx_1 4) 8)))

in the Java specification looks like this (excerpt):(rdArray4 A0 A2 (sub0chk A3) szint (aidxi 4 (below1 A7)))

This proof can be easily validated via LF type checking.

Themes and Conclusions

CarnegieMellon Coherence

Research in programming languages is largely directed towards achieving coherence in software systems.

Main Entry: co·her·encePronunciation: kO-'hir-&n(t)s, -'her-Function: nounDate: 15801 : the quality or state of cohering: as a : systematic or logical connection or consistency b : integration of diverse elements, relationships, or values2 : the property of being coherent

CarnegieMellon Coherence

Coherence requires: ability to analyze/verify

components, and communicate descriptions of

components.

Logic is canonical, in the sense of being the only foundation for this.

CarnegieMellon Esthetics vs. pragmatics

Many of the methods and results are motivated as much by esthetic as they are by pragmatic concerns.

Practical engineering consequences: Minimality and clarity of expression. Scaling up by study of “core” logics. Can sometimes be divorced from real-

world problems, but hard to predict.

CarnegieMellon Practicality

In recent years, a trend towards picking the low-hanging fruit.

Eliminate “simple errors”.

Exposed by the Web, plug-ins, embedded systems, etc.

Even machine languages!

Small theorems about big programs.

CarnegieMellon Conclusions

For much of the history of CS, PL research meant design of languages and compiler technology.

Today, PL technology and concepts advance logic and are applied directly to software artifacts.

“LF in the Unix kernel.”

CarnegieMellon A logical approach

Please install and execute this.

OK, but let me quickly look over the instructions first.

Code producer Host


Code producer Host


This store instruction is dangerous!

Code producer Host


Can you prove that it is always safe?

Code producer Host


Can you prove that it is always safe?

Yes! Here’s the proof I got from my certifying Java compiler!

Code producer Host


Your proof checks out. I believe you because I believe in logic.

Code producer Hostreturn

January 22, 2001

Documents

Transcript of January 22, 2001