Effective interactive proofs for higher-order imperative programs

This paper presents a simple mechanized formalization of Separation Logic for sequential programs. This formalization is aimed for teaching the ideas of Separation Logic, including its soundness proof and its recent enhancements. The formalization serves as support for a course that follows the style of the successful Software Foundations series, with all the statement and proofs formalized in Coq. This course only assumes basic knowledge of λ-calculus, semantics and logics, and therefore should be accessible to a broad audience.

Section: Mechanized Presentations Of Separation Logicmentioning

confidence: 99%

Section: Tutorials On Separation Logicmentioning

confidence: 99%

Separation logic for sequential programs (functional pearl)

Charguéraud

2020

“…This work relates to the large body of work on integrating effects and dependent types. Hoare Type Theory (HTT) [Nanevski et al 2008], used in particular in the Ynot project [Chlipala et al 2009], is realized as an axiomatic extension of Coq with effects encapsulated in a Hoare monad. HTT does not address the main challenge of effectful terms at the type level because it essentially only supports proving in Coq properties on simply-typed imperative programs.…”

Section: Related Workmentioning

confidence: 99%

A reasonably exceptional type theory

Pédrot

Tabareau

Fehrmann

et al. 2019

Traditional approaches to compensate for the lack of exceptions in type theories for proof assistants have severe drawbacks from both a programming and a reasoning perspective. Pédrot and Tabareau recently extended the Calculus of Inductive Constructions (CIC) with exceptions. The new exceptional type theory is interpreted by a translation into CIC, covering full dependent elimination, decidable type-checking and canonicity. However, the exceptional theory is inconsistent as a logical system. To recover consistency, Pédrot and Tabareau propose an additional translation that uses parametricity to enforce that all exceptions are caught locally. While this enforcement brings logical expressivity gains over CIC, it completely prevents reasoning about exceptional programs such as partial functions. This work addresses the dilemma between exceptions and consistency in a more flexible manner, with the Reasonably Exceptional Type Theory (RETT). RETT is structured in three layers: (a) the exceptional layer, in which all terms can raise exceptions; (b) the mediation layer, in which exceptional terms must be provably parametric; (c) the pure layer, in which terms are non-exceptional, but can refer to exceptional terms. We present the general theory of RETT, where each layer is realized by a predicative hierarchy of universes, and develop an instance of RETT in Coq: the impure layer corresponds to the predicative universe hierarchy, the pure layer is realized by the impredicative universe of propositions, and the mediation layer is reified via a parametricity type class. RETT is the first full dependent type theory to support consistent reasoning about exceptional terms, and the CoqRETT plugin readily brings this ability to Coq programmers.

“…Hoare and Dijkstra monads, as used in the context of systems for program verification such as Hoare type theory (HTT) [Nanevski et al 2008], Ynot [Chlipala et al 2009], and F ⋆ [Swamy et al 2013;Ahman et al 2017], provide an extrinsic approach to program verification: they are parameterized by pre-and post-conditions given as arbitrary propositions over the computation state, and any use of a monadic bind between two computations gives rise to proof obligations that the pre-and post-conditions for the two computations are consistent. Proof obligations about preand post-conditions are either proven by appealing to automation for general-purpose proof search (e.g., F ⋆ has integrated proof search facilities) or by manual proof work (e.g., using Coq's Program facility [Sozeau 2008] following Swierstra [2009b]).…”

Section: Related Workmentioning

confidence: 99%

Intrinsically-typed definitional interpreters for imperative languages

Poulsen

Rouvoet

Tolmach

et al. 2017

A definitional interpreter defines the semantics of an object language in terms of the (well-known) semantics of a host language, enabling understanding and validation of the semantics through execution. Combining a definitional interpreter with a separate type system requires a separate type safety proof. An alternative approach, at least for pure object languages, is to use a dependently-typed language to encode the object language type system in the definition of the abstract syntax. Using such intrinsically-typed abstract syntax definitions allows the host language type checker to verify automatically that the interpreter satisfies type safety. Does this approach scale to larger and more realistic object languages, and in particular to languages with mutable state and objects? In this paper, we describe and demonstrate techniques and libraries in Agda that successfully scale up intrinsically-typed definitional interpreters to handle rich object languages with non-trivial binding structures and mutable state. While the resulting interpreters are certainly more complex than the simply-typed λcalculus interpreter we start with, we claim that they still meet the goals of being concise, comprehensible, and executable, while guaranteeing type safety for more elaborate object languages. We make the following contributions: (1) A dependent-passing style technique for hiding the weakening of indexed values as they propagate through monadic code. (2) An Agda library for programming with scope graphs and frames, which provides a uniform approach to dealing with name binding in intrinsically-typed interpreters. (3) Case studies of intrinsically-typed definitional interpreters for the simply-typed λ-calculus with references (STLC+Ref) and for a large subset of Middleweight Java (MJ). CCS Concepts: • Theory of computation → Program verification; Type theory; • Software and its engineering → Formal language definitions;