Combining proofs and programs in a dependently typed language

CasinghinoChris,; SjöbergVilhelm,; WeirichStephanie,

doi:10.1145/2578855.2535883

Cited by 8 publications

(13 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We combined natural deduction principles with PLE-search to prove universality of right-folds, as described in [25] and formalized in Agda [34]. • Functional Correctness We proved correctness of a SAT solver and a unification algorithm as implemented in Zombie [11]. We proved that the SAT solver takes as input a formula f and either returns Nothing or an assignment that satisfies f, by reflecting the notion of satisfaction.…”

Section: Discussionmentioning

confidence: 99%

Refinement reflection: complete verification with SMT

Vazou

Tondwalkar

Choudhury

et al. 2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We introduce Refinement Reflection, a new framework for building SMT-based deductive verifiers. The key idea is to reflect the code implementing a user-defined function into the function's (output) refinement type. As a consequence, at uses of the function, the function definition is instantiated in the SMT logic in a precise fashion that permits decidable verification. Reflection allows the user to write equational proofs of programs just by writing other programs e.g. using pattern-matching and recursion to perform case-splitting and induction. Thus, via the propositions-as-types principle, we show that reflection permits the specification of arbitrary functional correctness properties. Finally, we introduce a proof-search algorithm called Proof by Logical Evaluation that uses techniques from model checking and abstract interpretation, to completely automate equational reasoning. We have implemented reflection in Liqid Haskell and used it to verify that the widely used instances of the Monoid, Applicative, Functor, and Monad typeclasses actually satisfy key algebraic laws required to make the clients safe, and have used reflection to build the first library that actually verifies assumptions about associativity and ordering that are crucial for safe deterministic parallelism.

show abstract

Section: Discussionmentioning

confidence: 99%

Refinement reflection: complete verification with SMT

Vazou

Tondwalkar

Choudhury

et al. 2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…The termination argument uses logical relations and is similar to the arguments of System T (Harper 2015) and Trellys/Zombie (Casinghino et al 2014). The logical relation is defined as 4 mutually recursive functions: E for computation types, V for regular types, W for wps, and P for formulas.…”

Section: Consistency and Weak Normalization Of Pf ⋆mentioning

confidence: 99%

“…For example, with Hoare Type Theory, Nanevski et al (2008) extend Coq with support for interactive proofs of imperative programs. With Trellys and Zombie, Casinghino et al (2014) design new dependently typed languages for interactive proving and programming while accounting for non-termination as an effect. With prior versions of F ⋆ , Swamy et al (2013a) provide SMT-based automated proving for an ML-like programming language, but lack the ability to do interactive proofs.…”

Section: Introductionmentioning

confidence: 99%

Dependent types and multi-monadic effects in F*

et al. 2016

View full text Add to dashboard Cite

We present a new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F* is a dependently typed, higher-order, call-by-value language with _primitive_ effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F* uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F* is a language of pure functions used to write specifications and proof terms---its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F* we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F* is programmed (but not verified) in F*, and bootstraps in both OCaml and F#. Our experience confirms F*'s pay-as-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F* is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F* than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F* in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System F-omega and even micro-F*, a sizeable fragment of F* itself---these proofs make essential use of F*'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.

show abstract

“…The second set of benchmarks corresponds to a set of programs corresponding to such proofs. Arith includes theorems about the growth of the fibonacci and ackermann functions; Fold includes theorems about the universality of traversals; Monoid, Functor, Applicative and Monad includes proofs of the respective category-theoretic laws for the Maybe, List, and Id instances of the respective typeclasses; and finally, SatSolver and Unification are fully verified implementations of the respective algorithms from the Zombie suite which, absent SMT support, requires significantly more local annotations (proof terms) from the user [Casinghino et al 2014;Sjöberg and Weirich 2015].…”

Section: Safety Property Benchmarksmentioning

confidence: 99%

Local refinement typing

Cosman

Jhala

2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We introduce the Fusion algorithm for local refinement type inference, yielding a new SMT-based method for verifying programs with polymorphic data types and higher-order functions. Fusion is concise as the programmer need only write signatures for (externally exported) top-level functions and places with cyclic (recursive) dependencies, after which Fusion can predictably synthesize the most precise refinement types for all intermediate terms (expressible in the decidable refinement logic), thereby checking the program without false alarms. We have implemented Fusion and evaluated it on the benchmarks from the LiqidHaskell suite totalling about 12KLOC. Fusion checks an existing safety benchmark suite using about half as many templates as previously required and nearly 2× faster. In a new set of theorem proving benchmarks Fusion is both 10 − 50× faster and, by synthesizing the most precise types, avoids false alarms to make verification possible.

show abstract

Combining proofs and programs in a dependently typed language

Cited by 8 publications

References 28 publications

Refinement reflection: complete verification with SMT

Refinement reflection: complete verification with SMT

Dependent types and multi-monadic effects in F*

Local refinement typing

Contact Info

Product

Resources

About