Types, Proofs, andSafe Mobile CodeThe unusual effectiveness of logic in programming language research
Peter LeeCarnegie Mellon University
January 22, 2001
NSF/CISE Workshop on The Unusual Effectiveness of Logic in Computer Science
CarnegieMellon Logic in PL research
Domain theoryCategory theory
Type
the
ory
Term
rew
ritin
g sy
stem
s
Denotational semanticsOperational semantics
Formal verification
Logic programming
Proof-carrying code
Type-directed compiling
Logic frameworks
Logic is the foundation of modern PL research.
-calculusAbstract Interpretation
CarnegieMellon This talk
A somewhat personal account, by necessity a rather narrow slice.
But similar stories can be found in almost all areas of PL research.
Logic as Language
CarnegieMellon Logic and languages
To PL researchers, logics and languages are often interchangeable.
A vivid example of this is in formal proofs.
Consider: Write “x is a proof of P” as x:P.
CarnegieMellon Formal proofs
We can write formal proofs by application of inference rules.
An example: If we have a proof x of P and a proof y
of Q, then x and y together constitute a proof of P Q.
Or, more compactly: Given x:P, y:Q then (x,y):P*Q.
CarnegieMellon Formal proofs
Another familiar example: Assume we have a proof x of P. If we
can then obtain a proof b of Q, then we have a proof of P Q.
Given [x:P] b:Q then fn (x:P) => b : P Q.
More: Given x:P*Q then fst(x):P Given y:P*Q then snd(y):Q
CarnegieMellon Proofs and types
So, for example:fn (x:P*Q) => (snd(x), fst(x)) : P*Q Q*P
We can develop full metalanguages based on this principle of proofs as programs, propositions as types.
Typechecking gives us proofchecking! Codified in languages such as ML.
CarnegieMellon Applications
This isomorphism has had many applications in logic and in CS.
Proof development systems. NuPrl, Coq, LCF, …
Advanced programming languages. Prolog.
Logical framework languages. Edinburgh Logical Framework.
CarnegieMellon Logical frameworks
The Edinburgh Logical Framework (LF) is a particularly useful language for specifying logics.
CarnegieMellon LF example
exp : typepred : typepf : pred -> type
true : pred/\ : pred -> pred -> pred=> : pred -> pred -> predall : (exp -> pred) -> pred
truei : pf trueandi : {P:pred} {R:pred} pf P -> pf R -> pf (/\ P R)andel : {P:pred} {R:pred} pf (/\ P R) -> pf Pimpi : {P:pred} {R:pred} (pf P -> pf R) -> pf (=> P R)alli : {P:exp -> pred} ({X:exp} pf (P X)) -> pf (all P)alle : {P:exp -> pred} {E:exp} pf (all P) -> pf (P E)
Fragment of first-order logic, Pfenning’s Elf syntax.
CarnegieMellon LF example
The representation of P P P for some predicate P:
The proof of this predicate has the following Elf representation:
(=> P (/\ P P))
(impi P (/\ P P) ([X:pf P] andi P P x x))
Language as Logic
CarnegieMellon Languages and logic
To PL researchers, languages and logics are often interchangeable.
A vivid example of this is in type theory.
CarnegieMellon Type theory
A standard application of type theory involves the following:
Operational (run-time) semantics is defined by an inference system.
Type system is also defined by an inference system.
Logic is used to prove the soundness of the type system wrt the semantics.
A programming language is a logic.
CarnegieMellon Soundness
Soundness: Well-typed programs are guaranteed
to stay within the boundaries defined by the operational semantics.
Well-typed programs won’t go wrong.
CarnegieMellon Practical benefits
Soundness can be hard to prove.
But it essentially converts the very difficult negative property (program won’t go wrong) into a positive property (program is well-typed).
Only need to prove soundness once.
CarnegieMellon Applications
Current research often involves defining the logical core of a language and then studying its properties.
Existing languages. ML, Haskell, JVML, …
New design and implementation features.
Type-directed compiling, region inference, linear typing, …
Proofs, Types, and Safe Mobile Code
CarnegieMellon The code safety problem
Please install and execute this.
Full cartoon
CarnegieMellon Code Safety
CPU
Code
Trusted Host
Is this safe to execute?
CarnegieMellon
TheoremProver
Formal verification
CPU
Code
Flexible andpowerful.
Trusted Host
But really reallyreally hard andmust be correct.
CarnegieMellon A Key Idea: Explicit Proofs
CertifyingProver
CPU
ProofChecker
Code
Proof
Trusted Host
CarnegieMellon
Proof-Carrying Code[Necula & Lee, OSDI’96]
A
B
Formal proof safety in LF Typically nativeor VM code
rlrrllrrllrlrlrllrlrrllrrll…
CarnegieMellon Proof-Carrying Code
CertifyingProver
CPU
Code
Proof
Simple,small (<52KB),and fast.
No longer need totrust this component.
ProofChecker
Reasonable in size (0-10%).
CarnegieMellon
The Role of Languages and Logic
Civilized programming languages can provide “safety for free”.
Well-formed/well-typed safe.
Idea: Arrange for the compiler to “explain” why the target code it generates preserves the safety properties of the source program.
CarnegieMellon
Automation viaCertifying Compilation
CertifyingCompiler
CPU Looks and smells like a compiler.% spjc foo.java bar.class baz.c -ljdk1.2.2
Sourcecode
Proof
Objectcode
CertifyingProver
ProofChecker
CarnegieMellon Safety Policies in LF
jfloat : exp.jinstof : exp -> exp.
of : exp -> exp -> pred.
faddf : {E:exp} {E':exp} pf (of E jfloat) -> pf (of E' jfloat) -> pf (of (fadd E E') jfloat).
ext : {E:exp} {C:exp} {D:exp} pf (jextends C D) -> pf (of E (jinstof C)) -> pf (of E (jinstof D)).
Fragment of rules for the Java type system.
CarnegieMellon Program checking
A proof for(saferd4 (add src_1 (add (imul edx_1 4) 8)))
in the Java specification looks like this (excerpt):(rdArray4 A0 A2 (sub0chk A3) szint (aidxi 4 (below1 A7)))
This proof can be easily validated via LF type checking.
Themes and Conclusions
CarnegieMellon Coherence
Research in programming languages is largely directed towards achieving coherence in software systems.
Main Entry: co·her·encePronunciation: kO-'hir-&n(t)s, -'her-Function: nounDate: 15801 : the quality or state of cohering: as a : systematic or logical connection or consistency b : integration of diverse elements, relationships, or values2 : the property of being coherent
CarnegieMellon Coherence
Coherence requires: ability to analyze/verify
components, and communicate descriptions of
components.
Logic is canonical, in the sense of being the only foundation for this.
CarnegieMellon Esthetics vs. pragmatics
Many of the methods and results are motivated as much by esthetic as they are by pragmatic concerns.
Practical engineering consequences: Minimality and clarity of expression. Scaling up by study of “core” logics. Can sometimes be divorced from real-
world problems, but hard to predict.
CarnegieMellon Practicality
In recent years, a trend towards picking the low-hanging fruit.
Eliminate “simple errors”.
Exposed by the Web, plug-ins, embedded systems, etc.
Even machine languages!
Small theorems about big programs.
CarnegieMellon Conclusions
For much of the history of CS, PL research meant design of languages and compiler technology.
Today, PL technology and concepts advance logic and are applied directly to software artifacts.
“LF in the Unix kernel.”
CarnegieMellon A logical approach
Please install and execute this.
OK, but let me quickly look over the instructions first.
Code producer Host
CarnegieMellon A logical approach
Code producer Host
CarnegieMellon A logical approach
This store instruction is dangerous!
Code producer Host
CarnegieMellon A logical approach
Can you prove that it is always safe?
Code producer Host
CarnegieMellon A logical approach
Can you prove that it is always safe?
Yes! Here’s the proof I got from my certifying Java compiler!
Code producer Host
CarnegieMellon A logical approach
Your proof checks out. I believe you because I believe in logic.
Code producer Hostreturn
Top Related