Verifying type soundness in HOL for OCaml: the core language

Size: px

Start display at page:

Download "Verifying type soundness in HOL for OCaml: the core language"

Pierce Ray
5 years ago
Views:

1 Verifying type soundness in HOL for OCaml: the core language p. 1/40 Verifying type soundness in HOL for OCaml: the core language Scott Owens and Gilles Peskine University of Cambridge

2 Verifying type soundness in HOL for OCaml: the core language p. 2/40 Full-scale Calculi and pragmatic additions Understand the pragmatics Ensure a working combination Program verification

3 Verifying type soundness in HOL for OCaml: the core language p. 3/40 The Goal Type soundness Accuracy

4 Verifying type soundness in HOL for OCaml: the core language p. 4/40 The Players Objective Caml HOL Ott

5 Verifying type soundness in HOL for OCaml: the core language p. 5/40 Outline OCaml specification Testing Experience Ott asides

6 Verifying type soundness in HOL for OCaml: the core language p. 6/40 OCaml Core ML/Caml light No modules No objects Operational semantics: LTS Type system: declarative

7 Verifying type soundness in HOL for OCaml: the core language p. 7/40 OCaml: Types typeconstr ::= typeconstr_name int exn list option ref... typexpr ::= α _ typexpr 1 typexpr 2 typexpr 1... typexpr n typeconstr typexpr typeconstr (typexpr 1,..., typexpr n )typeconstr...

8 Verifying type soundness in HOL for OCaml: the core language p. 8/40 Ott Aside Ott: typexpr1 *... * typexprn :: :: tuple Hol: TE_tuple of typexpr list

9 Verifying type soundness in HOL for OCaml: the core language p. 9/40 OCaml: Data constr ::= constr_name Match_failure None Some... constant ::= int_literal constr true false [] ()... unary_prim ::= raise ref not! binary_prim ::= + / := =

10 Verifying type soundness in HOL for OCaml: the core language p. 10/40 OCaml: Patterns pattern ::= value_name _ pattern as value_name pattern 1 ::pattern 2 constant pattern 1,..., pattern n constr (pattern 1,..., pattern n ) constr _ {field 1 = pattern 1 ;... ; field n = pattern n } (pattern 1 pattern 2 )

11 Verifying type soundness in HOL for OCaml: the core language p. 11/40 Ott Aside pattern as value_name :: :: alias (+ xs = xs(pattern) union value_name +) pattern1,..., patternn :: :: tuple (+ xs = xs(pattern1...patternn) +)

12 Verifying type soundness in HOL for OCaml: the core language p. 12/40 OCaml: Expressions expr ::= ( %prim unary_prim ) ( %prim binary_prim ) value_name constant (expr : typexpr ) expr 1,..., expr n constr (expr 1,.., expr n ) expr 1 ::expr 2 {field 1 = expr 1 ;... ; field n = expr n } {expr withfield 1 = expr 1 ;... ; field n = expr n } expr.field expr 1 expr 2...

13 Verifying type soundness in HOL for OCaml: the core language p. 13/40 OCaml: Expressions expr ::= whileexpr 1 doexpr 2 done forx = expr 1 [down]toexpr 2 doexpr 3 done letpattern = expr inexpr let rec letrec_bindings in expr try expr with pattern_matching location... pattern_matching ::= pattern 1 expr 1... pattern n expr n letrec_bindings ::= letrec_binding 1 and...andletrec_binding n letrec_binding ::= value_name = function pattern_matching

14 Verifying type soundness in HOL for OCaml: the core language p. 14/40 Ott Aside let rec letrec_bindings in expr :: :: letrec (+ bind xs(letrec_bindings) in letrec_bindings +) (+ bind xs(letrec_bindings) in expr +)

15 Verifying type soundness in HOL for OCaml: the core language p. 15/40 OCaml: Definitions definition ::= let let_binding let rec letrec_bindings type_definition exception_definition type_definition ::= typetypedef 1 and..andtypedef n typedef ::= type_params typeconstr_name = type_information type_information ::= constr_decl 1... constr_decl n {field_decl 1 ;... ; field_decl n }

16 Verifying type soundness in HOL for OCaml: the core language p. 16/40 OCaml: Evaluation in Context e 1 e 1 v 0 L e 1 L e 1 v 0 JR_expr (Expr_apply expr1 expr2) a1 a2 = ( e1. (a2 = Expr_apply e1 expr2) is_value_of_expr expr2 JR_expr expr1 a1 e1 )...

17 Verifying type soundness in HOL for OCaml: the core language p. 17/40 OCaml: Evaluation in Context e 1 e 1 v 0 L e 1 L e 1 v 0

18 Verifying type soundness in HOL for OCaml: the core language p. 18/40 OCaml: Store ref v ref v =l l!l!l =v v

19 Verifying type soundness in HOL for OCaml: the core language p. 19/40 OCaml: Primitives let (+) = (-) in let f x = x 4 in f ((+) 1)

20 Verifying type soundness in HOL for OCaml: the core language p. 20/40 OCaml: Primitives let (+) = (%uprim -) in let f x = x 4 in f ((%uprim +) 1)

21 Verifying type soundness in HOL for OCaml: the core language p. 21/40 OCaml: Currying let f = function 1 -> function _ -> 0;; f 2;; let f = function 1 -> function _ -> 0 _ -> function _ -> raise Match_failure;; f 2;;

22 Verifying type soundness in HOL for OCaml: the core language p. 22/40 OCaml: Binding type t = C of int;; let v = C 1;; type t = D of bool;; let _ = match v with D (b) -> (b && false);;

23 Verifying type soundness in HOL for OCaml: the core language p. 23/40 OCaml: Binding type t1 = C of int;; let v = C 1;; type t2 = C of bool;; let _ = v;;

24 Verifying type soundness in HOL for OCaml: the core language p. 24/40 OCaml: Binding let v1 = function x -> x;; let x = 1;; let v2 = v1 9;;

25 Verifying type soundness in HOL for OCaml: the core language p. 25/40 OCaml: Environments E ::= empty E,EB EB ::= TV value_name : typescheme constr_name of typeconstr constr_name of type_params, ( typexprs ) : typeconstr field_name : type_params, typeconstr_name typexpr typeconstr_name : kind typeconstr_name : kind {field_name 1 ;... ; field_name n } location : typexpr

26 Verifying type soundness in HOL for OCaml: the core language p. 26/40 Ott Aside environment, E :: Env_ ::= {{ hol (environment_binding list) }} empty :: :: nil {{ hol [] }} E, EB :: :: cons {{ hol ([[EB]]::[[E]]) }} EB1,.., EBn :: M :: list {{ hol (REVERSE [[EB1.. EBn]]) En :: M :: tree {{ hol (FLAT (REVERSE [[E1.. En]])) }}

27 Verifying type soundness in HOL for OCaml: the core language p. 27/40 OCaml: Polymorphism shift01σ T &E,TV pat = nexp x 1 : t 1,.., x n : t n σ T 1 : t 1,.., x n : t n e : t σ T &E letpat = nexp ine : t E value_name value_name : ts E t ts E value_name : t

28 Verifying type soundness in HOL for OCaml: the core language p. 28/40 Ott Aside value_name : typexpr :: M :: vntype {{ com value binding with no universal quantifier }} {{ ich (EB_vn [[value_name]] (TS_forall (shiftt 0 1 [[typexpr]]))) }}

29 Verifying type soundness in HOL for OCaml: the core language p. 29/40 OCaml: Type Annotations Does it have a type? let f (x : a) : a = (x : a) && true;;

30 Verifying type soundness in HOL for OCaml: the core language p. 30/40 OCaml: Type Annotations let f (x : a) : a = (x : a) && true;; f : bool bool

31 Verifying type soundness in HOL for OCaml: the core language p. 31/40 OCaml: Type Annotations let f (x : a) : a = (x : a) && true;; σ T &E e : t E t σ T src_t σ T &E (e : src_t ) : t σ T &E,TV pat = nexp (x 1 : t 1 ),.., (x k : t k ) E letpat = nexp : (x 1 : t 1 ),.., (x k : t k )

32 Verifying type soundness in HOL for OCaml: the core language p. 32/40 Testing Our approach: Deterministic, small-step reduction function FP in a theorem prover Objective Caml s parser Other approaches: Logic programming Big step

33 Verifying type soundness in HOL for OCaml: the core language p. 33/40 Testing e 1 e 1 v 0 L e 1 L e 1 v 0 JR_expr (Expr_apply expr1 expr2) a1 a2 = ( e1. (a2 = Expr_apply e1 expr2) is_value_of_expr expr2 JR_expr expr1 a1 e1 )... red (Expr_apply expr1 expr2) = red_2 expr1 expr2 Expr_apply eval_apply

34 Verifying type soundness in HOL for OCaml: the core language p. 34/40 Statistics: Proof 6 man-months 9K HOL, 561 lemmas 3.7K Ott 50 pages typeset Grammar: 251 productions, 55 non-terminals (142, 63 source) Type system: 173 rules, 28 relations Op. Sem.: 137 rules, 15 relations, 12 helper functions

35 Verifying type soundness in HOL for OCaml: the core language p. 35/40 Statistics: Testing 540 lines HOL 145 tests Full coverage

36 Verifying type soundness in HOL for OCaml: the core language p. 36/40 Proof in HOL Operations on a goal: Rewriting and simplification Backward and forward chaining Witness Case split First-order proof search (Metis, 1191 times) Specification: Algebraic datatypes Inductive relations Well-founded recursion

37 Verifying type soundness in HOL for OCaml: the core language p. 37/40 Related Work Standard ML Lee, Crary, Harper (POPL 2007) van Inwegen (1996) Maharaj, Gunter (1994) Syme (1993) Java Java: Klein, Nipkow (TOPLAS 2006) Syme (1999) Nipkow, van Oheimb (POPL 1998) C Norrish (1998)

38 Verifying type soundness in HOL for OCaml: the core language p. 38/40 Conclusion Need good tools Can work at full-scale Binding is a minor concern

39 Verifying type soundness in HOL for OCaml: the core language p. 39/40 Type Soundness: Binding let x = (function _ -> let y = function w -> w in y) in let z = x in z (E,

40 Verifying type soundness in HOL for OCaml: the core language p. 40/40 Testing eval_uprim Uprim_ref v = StepAlloc (\e. e) v eval_bprim Bprim_assign v1 v2 = case v1 of Expr_location l -> StepAssign (Expr_constant CONST_unit) l v2 _ -> Stuck

Introduction to OCaml

Fall 2018 Introduction to OCaml Yu Zhang Course web site: http://staff.ustc.edu.cn/~yuzhang/tpl References Learn X in Y Minutes Ocaml Real World OCaml Cornell CS 3110 Spring 2018 Data Structures and Functional